CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 1 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to consumer data privacy; creating s. 2
501.173, F.S.; providing applicability; providing 3
definitions; requiring controllers that collect a 4
consumer's personal data to disclose certain 5
information regarding data collection and selling 6
practices to the consumer at or before the point of 7
collection; specifying that such information may be 8
provided through a general privacy policy or through a 9
notice informing the consumer that additional specific 10
information will be provided upon a certain reque st; 11
prohibiting controllers from collecting additional 12
categories of personal information or using personal 13
information for additional purposes without notifying 14
the consumer; requiring controllers that collect 15
personal information to implement reasonable security 16
procedures and practices to protect the information; 17
authorizing consumers to request controllers to 18
disclose the specific personal information the 19
controller has collected about the consumer; requiring 20
controllers to make available two or more me thods for 21
consumers to request their personal information; 22
requiring controllers to provide such information free 23
of charge within a certain timeframe and in a certain 24
format upon receiving a verifiable consumer request; 25
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 2 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
specifying requirements for third p arties with respect 26
to consumer information acquired or used; providing 27
construction; authorizing consumers to request 28
controllers to delete or correct personal information 29
the controllers have collected about the consumers; 30
providing exceptions; specifyin g requirements for 31
controllers to comply with deletion or correction 32
requests; authorizing consumers to opt out of third -33
party disclosure of personal information collected by 34
a controller; prohibiting controllers from selling or 35
disclosing the personal inf ormation of consumers 36
younger than a certain age, except under certain 37
circumstances; prohibiting controllers from selling or 38
sharing a consumer's information if the consumer has 39
opted out of such disclosure; prohibiting controllers 40
from taking certain act ions to retaliate against 41
consumers who exercise certain rights; providing 42
applicability; providing that a contract or agreement 43
that waives or limits certain consumer rights is void 44
and unenforceable; providing for civil actions and a 45
private right of act ion for consumers under certain 46
circumstances; providing civil remedies; authorizing 47
the Department of Legal Affairs to bring an action 48
under the Florida Unfair or Deceptive Trade Practices 49
Act and to adopt rules; requiring the department to 50
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 3 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
submit an annual report to the Legislature; providing 51
report requirements; providing that controllers must 52
have a specified timeframe to cure any violations; 53
providing jurisdiction; declaring that the act is 54
matter of statewide concern; preempting the 55
collection, processing, sharing, and sale of consumer 56
personal information to the state; amending s. 57
501.171, F.S.; revising the definition of "personal 58
information"; providing an effective date. 59
60
Be It Enacted by the Legislature of the State of Florida: 61
62
Section 1. Section 501.173, Florida Statutes, is created 63
to read: 64
501.173 Consumer data privacy. — 65
(1) APPLICABILITY.—This section applies to any entity that 66
meets the definition of controller, processor, or third party, 67
and that buys, sells, or shares personal i nformation of Florida 68
consumers. This section does not apply to entities that do not 69
buy, sell, or share personal information of Florida consumers 70
and such entities do not have to comply with this section. This 71
section also does not apply to: 72
(a) Personal information collected and transmitted that is 73
necessary for the sole purpose of sharing such personal 74
information with a financial service provider solely to 75
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 4 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
facilitate short term, transactional payment processing for the 76
purchase of products or services . 77
(b) Personal information collected, used, retained, sold, 78
shared, or disclosed as deidentified personal information or 79
aggregate consumer information. 80
(c) Compliance with federal, state, or local laws. 81
(d) Compliance with a civil, criminal, or regu latory 82
inquiry, investigation, subpoena, or summons by federal, state, 83
or local authorities. 84
(e) Cooperation with law enforcement agencies concerning 85
conduct or activity that the controller, processor, or third 86
party reasonably and in good faith believes may violate federal, 87
state, or local law. 88
(f) Exercising or defending legal claims. 89
(g) Personal information obtained through the controller's 90
direct interactions with the consumer, if collected in 91
accordance with the provisions of this section, that is used by 92
the controller or the processor that the controller directly 93
contracts with for advertising or marketing services to 94
advertise or market products or services that are produced or 95
offered directly by the controller. Such information may not be 96
sold, shared, or disclosed unless otherwise authorized under 97
this section. 98
(h) Personal information of a person acting in the role of 99
a job applicant, employee, owner, director, officer, contractor, 100
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 5 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
volunteer, or intern of a controller, that is collected b y a 101
controller, to the extent the personal information is collected 102
and used solely within the context of the person's role or 103
former role with the controller. 104
(i) Protected health information for purposes of the 105
federal Health Insurance Portability and Accountability Act of 106
1996 and related regulations, and patient identifying 107
information for purposes of 42 C.F.R. part 2, established 108
pursuant to 42 U.S.C. s. 290dd -2. 109
(j) A covered entity or business associate governed by the 110
privacy, security, and breach notification rules issued by the 111
United States Department of Health and Human Services in 45 112
C.F.R. parts 160 and 164, or a program or a qualified service 113
program as defined in 42 C.F.R. part 2, to the extent the 114
covered entity, business associate, or program maintains 115
personal information in the same manner as medical information 116
or protected health information as described in paragraph (i), 117
and as long as the covered entity, business associate, or 118
program does not use personal information for targe ted 119
advertising with third parties and does not sell or share 120
personal information to a third party unless such sale or 121
sharing is covered by an exception under this section. 122
(k) Identifiable private information collected for 123
purposes of research as defi ned in 45 C.F.R. s. 164.501 124
conducted in accordance with the Federal Policy for the 125
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 6 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Protection of Human Subjects for purposes of 45 C.F.R. part 46, 126
the good clinical practice guidelines issued by the 127
International Council for Harmonisation of Technical 128
Requirements for Pharmaceuticals for Human Use, or the 129
Protection for Human Subjects for purposes of 21 C.F.R. parts 50 130
and 56, or personal information that is used or shared in 131
research conducted in accordance with one or more of these 132
standards. 133
(l) Information and documents created for purposes of the 134
federal Health Care Quality Improvement Act of 1986 and related 135
regulations, or patient safety work product for purposes of 42 136
C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b -21 137
through 299b-26. 138
(m) Information that is deidentified in accordance with 45 139
C.F.R. part 164 and derived from individually identifiable 140
health information as described in the Health Insurance 141
Portability and Accountability Act of 1996, or identifiable 142
personal information, c onsistent with the Federal Policy for the 143
Protection of Human Subjects or the human subject protection 144
requirements of the United States Food and Drug Administration. 145
(n) Information used only for public health activities and 146
purposes as described in 45 C.F.R. s. 164.512. 147
(o) Personal information collected, processed, sold, or 148
disclosed pursuant to the federal Fair Credit Reporting Act, 15 149
U.S.C. s. 1681 and implementing regulations. 150
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 7 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(p) Nonpublic personal information collected, processed, 151
sold, or disclosed pursuant to the Gramm -Leach-Bliley Act, 15 152
U.S.C. s. 6801 et seq., and implementing regulations. 153
(q) A financial institution as defined in the Gramm -Leach-154
Bliley Act, 15 U.S.C. s. 6801 et seq., to the extent the 155
financial institution maintains pe rsonal information in the same 156
manner as nonpublic personal information as described in 157
paragraph (p), and as long as such financial institution does 158
not use personal information for targeted advertising with third 159
parties and does not sell or share person al information to a 160
third party unless such sale or sharing is covered by an 161
exception under this section. 162
(r) Personal information collected, processed, sold, or 163
disclosed pursuant to the federal Driver's Privacy Protection 164
Act of 1994, 18 U.S.C. s. 272 1 et seq. 165
(s) Education information covered by the Family 166
Educational Rights and Privacy Act, 20 U.S.C. s. 1232(g) and 34 167
C.F.R. part 99. 168
(t) Information collected as part of public or peer -169
reviewed scientific or statistical research in the public 170
interest and that adheres to all other applicable ethics and 171
privacy laws, if the consumer has provided informed consent. 172
Research with personal information must be subjected by the 173
controller conducting the research to additional security 174
controls that limit access to the research data to only those 175
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 8 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
individuals necessary to carry out the research purpose and 176
subsequently deidentified. 177
(u) Personal information disclosed for the purpose of 178
responding to an alert of a present risk of harm to a person or 179
property or prosecuting those responsible for that activity. 180
(v) Personal information that is disclosed when a consumer 181
uses or directs a controller to intentionally disclose 182
information to a third party or uses the controller to 183
intentionally interact with a t hird party. An intentional 184
interaction occurs when the consumer intends to interact with 185
the third party, by one or more deliberate interactions. 186
Hovering over, muting, pausing, or closing a given piece of 187
content does not constitute a consumer's intent to interact with 188
a third party. 189
(w) An identifier used for a consumer who has opted out of 190
the sale or sharing of the consumer's personal information for 191
the sole purpose of alerting processors and third parties that 192
the consumer has opted out of the sale or sharing of the 193
consumer's personal information. 194
(x) Personal information transferred by a controller to a 195
third party as an asset that is part of a merger, acquisition, 196
bankruptcy, or other transaction in which the third party 197
assumes control of all o r part of the controller, provided that 198
information is used or shared consistently with this section. If 199
a third party materially alters how it uses or shares the 200
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 9 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
personal information of a consumer in a manner that is 201
materially inconsistent with the commi tments or promises made at 202
the time of collection, it shall provide prior notice of the new 203
or changed practice to the consumer. The notice must be 204
sufficiently prominent and robust to ensure that consumers can 205
easily exercise choices consistent with this section. 206
(2) DEFINITIONS.—As used in this section, the term: 207
(a) "Aggregate consumer information" means information 208
that relates to a group or category of consumers, from which the 209
identity of an individual consumer has been removed and is not 210
reasonably capable of being directly or indirectly associated or 211
linked with, any consumer, household, or device. The term does 212
not include personal information that has been deidentified. 213
(b) "Biometric information" means an individual's 214
physiological, biologic al, or behavioral characteristics that 215
can be used, singly or in combination with each other or with 216
other identifying data, to establish individual identity. The 217
term includes, but is not limited to, imagery of the iris, 218
retina, fingerprint, face, hand, p alm, vein patterns, and voice 219
recordings, from which an identifier template, such as a 220
faceprint, a minutiae template, or a voiceprint, can be 221
extracted, and keystroke patterns or rhythms, gait patterns or 222
rhythms, and sleep, health, or exercise data that contain 223
identifying information. 224
(c) "Collect" means to buy, rent, gather, obtain, receive, 225
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 10 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
or access any personal information pertaining to a consumer by 226
any means. The term includes, but is not limited to, actively or 227
passively receiving information fr om the consumer or by 228
observing the consumer's behavior or actions. 229
(d) "Consumer" means a natural person who resides in or is 230
domiciled in this state, however identified, including by any 231
unique identifier, who is acting in a personal capacity or 232
household context. The term does not include a natural person 233
acting on behalf of a legal entity in a commercial or employment 234
context. 235
(e) "Controller" means: 236
1. A sole proprietorship, partnership, limited liability 237
company, corporation, association, or leg al entity that meets 238
the following requirements: 239
a. Is organized or operated for the profit or financial 240
benefit of its shareholders or owners; 241
b. Does business in this state; 242
c. Collects personal information about consumers, or is 243
the entity on behalf of which such information is collected; 244
d. Determines the purposes and means of processing 245
personal information about consumers alone or jointly with 246
others; and 247
e. Satisfies at least two of the following thresholds: 248
(I) Has global annual gross re venues in excess of $50 249
million, as adjusted in January of every odd -numbered year to 250
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 11 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
reflect any increase in the Consumer Price Index. 251
(II) Annually buys, sells, or shares the personal 252
information of 50,000 or more consumers, households, and devices 253
for the purpose of targeted advertising in conjunction with 254
third parties. The 50,000 total only includes personal 255
information that is bought, sold, or shared within the previous 256
12 months. 257
(III) Derives 50 percent or more of its global annual 258
revenues from selling or sharing personal information about 259
consumers. 260
2. Any entity that controls or is controlled by a 261
controller. As used in this subparagraph, the term "control" 262
means: 263
a. Ownership of, or the power to vote, more than 50 264
percent of the outstanding shares of any class of voting 265
security of a controller; 266
b. Control in any manner over the election of a majority 267
of the directors, or of individuals exercising similar 268
functions; or 269
c. The power to exercise a controlling influence over the 270
management of a company. 271
(f) "Deidentified" means information that cannot 272
reasonably be used to infer information about or otherwise be 273
linked to a particular consumer, provided that the controller 274
that possesses the information: 275
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 12 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1. Takes reasonable me asures to ensure that the 276
information cannot be associated with a specific consumer; 277
2. Maintains and uses the information in deidentified form 278
and not to attempt to reidentify the information, except that 279
the controller may attempt to reidentify the inf ormation solely 280
for the purpose of determining whether its deidentification 281
processes satisfy the requirements of this paragraph; and 282
3. Contractually obligates any recipients of the 283
information to comply with all the provisions of this paragraph 284
to avoid reidentifying such information. 285
(g) "Department" means the Department of Legal Affairs. 286
(h) "Device" means a physical object associated with a 287
consumer or household capable of directly or indirectly 288
connecting to the Internet. 289
(i) "Genetic informat ion" means an individual's 290
deoxyribonucleic acid (DNA). 291
(j) "Homepage" means the introductory page of an Internet 292
website and any Internet webpage where personal information is 293
collected. In the case of a mobile application, the homepage is 294
the application's platform page or download page, a link within 295
the application, such as the "About" or "Information" 296
application configurations, or settings page, and any other 297
location that allows consumers to review the notice required by 298
subsection (7), including, but not limited to, before 299
downloading the application. 300
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 13 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(k) "Household" means a natural person or a group of 301
people in this state who reside at the same address, share a 302
common device or the same service provided by a controller, and 303
are identified by a controller as sharing the same group account 304
or unique identifier. 305
(l) "Personal information" means information that is 306
linked or reasonably linkable to an identified or identifiable 307
consumer or household, including biometric information, genetic 308
information, and unique identifiers to the consumer. The term 309
does not include consumer information that is: 310
1. Consumer employment contact information, including a 311
position name or title, employment qualifications, emergency 312
contact information, business telep hone number, business 313
electronic mail address, employee benefit information, and 314
similar information used solely in an employment context. 315
2. Deidentified or aggregate consumer information. 316
3. Publicly and lawfully available information reasonably 317
believed to be made available to the public in a lawful manner 318
and without legal restrictions: 319
a. From federal, state, or local government records. 320
b. By a widely distributed media source. 321
c. By the consumer or by someone to whom the consumer 322
disclosed the information unless the consumer has purposely and 323
effectively restricted the information to a certain audience on 324
a private account. 325
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 14 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(m) "Processing" means any operation or set of operations 326
that are performed on personal information or on sets of 327
personal information, whether or not by automated means. 328
(n) "Processor" means a sole proprietorship, partnership, 329
limited liability company, corporation, association, or other 330
legal entity that is organized or operated for the profit or 331
financial benefit of its shareholders or other owners, that 332
processes information on behalf of a controller and to which the 333
controller discloses a consumer's personal information pursuant 334
to a written contract, provided that the contract prohibits the 335
entity receiving the i nformation from retaining, using, or 336
disclosing the personal information for any purpose other than 337
for the specific purpose of performing the services specified in 338
the contract for the controller, as permitted by this section. 339
(o) "Sell" means to sell, rent, release, disclose, 340
disseminate, make available, transfer, or otherwise communicate 341
orally, in writing, or by electronic or other means, a 342
consumer's personal information by a controller to another 343
controller or a third party for monetary or other val uable 344
consideration. 345
(p) "Share" means to share, rent, release, disclose, 346
disseminate, make available, transfer, or access a consumer's 347
personal information for advertising or marketing. The term 348
includes: 349
1. Allowing a third party to use or advertise or market to 350
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 15 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
a consumer based on a consumer's personal information without 351
disclosure of the personal information to the third party. 352
2. Monetary transactions, nonmonetary transactions, and 353
transactions for other valuable consideration between a 354
controller and a third party for advertising or marketing for 355
the benefit of a controller. 356
(q) "Targeted advertising" means marketing to a consumer 357
or displaying an advertisement to a consumer when the 358
advertisement is selected based on personal information used to 359
predict such consumer's preferences or interests. 360
(r) "Third party" means a person who is not the controller 361
or the processor. 362
(s) "Verifiable consumer request" means a request related 363
to personal information that is made by a consumer, by a parent 364
or guardian on behalf of a consumer who is a minor child, or by 365
a person authorized by the consumer to act on the consumer's 366
behalf, in a form that is reasonably and readily accessible to 367
consumers and that the controller can reasonably verify to be 368
the consumer, pursuant to rules adopted by the department. 369
(3) CONSUMER DATA COLLECTION REQUIREMENTS AND 370
RESPONSIBILITIES.— 371
(a) A controller that collects personal information about 372
consumers shall maintain an up -to-date online privacy policy and 373
make such policy available from its homepage. The online privacy 374
policy must include the following information: 375
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 16 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1. Any Florida-specific consumer privacy rights. 376
2. A list of the types and categories of personal 377
information the controller collects, sells, or shar es, or has 378
collected, sold, or shared, about consumers. 379
3. The consumer's right to request deletion or correction 380
of certain personal information. 381
4. The consumer's right to opt -out of the sale or sharing 382
to third parties. 383
(b) A controller that colle cts personal information shall, 384
at or before the point of collection, inform, or direct the 385
processor to inform, consumers of the categories of personal 386
information to be collected and the purposes for which the 387
categories of personal information will be u sed. 388
(c) A controller may not collect additional categories of 389
personal information or use personal information collected for 390
additional purposes without providing the consumer with notice 391
consistent with this section. 392
(d) A controller that collects a consumer's personal 393
information shall implement and maintain reasonable security 394
procedures and practices appropriate to the nature of the 395
personal information to protect the personal information from 396
unauthorized or illegal access, destruction, use, modif ication, 397
or disclosure. 398
(e) A controller shall adopt and implement a retention 399
schedule that prohibits the use or retention of personal 400
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 17 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
information not subject to an exemption by the controller or 401
processor after the satisfaction of the initial purpose f or 402
which such information was collected or obtained, after the 403
expiration or termination of the contract pursuant to which the 404
information was collected or obtained, or 3 years after the 405
consumer's last interaction with the controller. This paragraph 406
does not apply to personal information reasonably used or 407
retained to do any of the following: 408
1. Fulfill the terms of a written warranty or product 409
recall conducted in accordance with federal law. 410
2. Provide a good or service requested by the consumer, or 411
reasonably anticipate the request of such good or service within 412
the context of a controller's ongoing business relationship with 413
the consumer. 414
3. Detect security threats or incidents; protect against 415
malicious, deceptive, fraudulent, unauthorized, or il legal 416
activity or access; or prosecute those responsible for such 417
activity or access. 418
4. Debug to identify and repair errors that impair 419
existing intended functionality. 420
5. Engage in public or peer -reviewed scientific, 421
historical, or statistical resear ch in the public interest that 422
adheres to all other applicable ethics and privacy laws when the 423
controller's deletion of the information is likely to render 424
impossible or seriously impair the achievement of such research, 425
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 18 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
if the consumer has provided infor med consent. 426
6. Enable solely internal uses that are reasonably aligned 427
with the expectations of the consumer based on the consumer's 428
relationship with the controller or that are compatible with the 429
context in which the consumer provided the information. 430
7. Comply with a legal obligation, including any state or 431
federal retention laws. 432
8. As reasonably needed to protect the controller's 433
interests against existing disputes, legal action, or 434
governmental investigations. 435
9. Assure the physical security of persons or property. 436
(4) CONSUMER RIGHT TO REQUEST COPY OF PERSONAL DATA 437
COLLECTED, SOLD, OR SHARED. — 438
(a) A consumer has the right to request that a controller 439
that collects, sells, or shares personal information about the 440
consumer to disclose the f ollowing to the consumer: 441
1. The specific pieces of personal information that have 442
been collected about the consumer. 443
2. The categories of sources from which the consumer's 444
personal information was collected. 445
3. The specific pieces of personal inform ation about the 446
consumer that were sold or shared. 447
4. The third parties to which the personal information 448
about the consumer was sold or shared. 449
5. The categories of personal information about the 450
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 19 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
consumer that were disclosed to a processor. 451
(b) A controller that collects, sells, or shares personal 452
information about a consumer shall disclose the information 453
specified in paragraph (a) to the consumer upon receipt of a 454
verifiable consumer request. 455
(c) This subsection does not require a controller to 456
retain, reidentify, or otherwise link any data that, in the 457
ordinary course of business is not maintained in a manner that 458
would be considered personal information. 459
(d) The controller shall deliver the information required 460
or act on the request in this subsection to a consumer free of 461
charge within 45 calendar days after receiving a verifiable 462
consumer request. The response period may be extended once by 45 463
additional calendar days when reasonably necessary, provided the 464
controller informs the consumer o f any such extension within the 465
initial 45-day response period and the reason for the extension. 466
The information must be delivered in a readily usable format. A 467
controller is not obligated to provide information to the 468
consumer if the consumer or a person authorized to act on the 469
consumer's behalf does not provide verification of identity or 470
verification of authorization to act with the permission of the 471
consumer. 472
(e) A controller may provide personal information to a 473
consumer at any time, but is not requ ired to provide personal 474
information to a consumer more than twice in a 12 -month period. 475
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 20 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(f) This subsection does not apply to personal information 476
relating solely to households. 477
(5) RIGHT TO HAVE PERSONAL INFORMATION DELETED OR 478
CORRECTED.— 479
(a) A consumer has the right to request that a controller 480
delete any personal information about the consumer which the 481
controller has collected from the consumer. 482
1. A controller that receives a verifiable consumer 483
request to delete the consumer's personal inform ation shall 484
delete the consumer's personal information from its records and 485
direct any processors to delete such information within 90 486
calendar days of receipt of the verifiable consumer request. 487
2. A controller or a processor acting pursuant to its 488
contract with the controller may not be required to comply with 489
a consumer's request to delete the consumer's personal 490
information if it is reasonably necessary for the controller or 491
processor to maintain the consumer's personal information to do 492
any of the following: 493
a. Complete the transaction for which the personal 494
information was collected. 495
b. Fulfill the terms of a written warranty or product 496
recall conducted in accordance with federal law. 497
c. Provide a good or service requested by the consumer, or 498
reasonably anticipate the request of such good or service within 499
the context of a controller's ongoing business relationship with 500
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 21 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
the consumer, or otherwise perform a contract between the 501
controller and the consumer. 502
d. Detect security threats or incident s; protect against 503
malicious, deceptive, fraudulent, unauthorized, or illegal 504
activity or access; or prosecute those responsible for such 505
activity or access. 506
e. Debug to identify and repair errors that impair 507
existing intended functionality. 508
f. Engage in public or peer-reviewed scientific, 509
historical, or statistical research in the public interest that 510
adheres to all other applicable ethics and privacy laws when the 511
controller's deletion of the information is likely to render 512
impossible or seriously imp air the achievement of such research, 513
if the consumer has provided informed consent. 514
g. Enable solely internal uses that are reasonably aligned 515
with the expectations of the consumer based on the consumer's 516
relationship with the controller or that are com patible with the 517
context in which the consumer provided the information. 518
h. Comply with a legal obligation, including any state or 519
federal retention laws. 520
i. As reasonably needed to protect the controller's 521
interests against existing disputes, legal ac tion, or 522
governmental investigations. 523
j. Assure the physical security of persons or property. 524
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 22 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(b) A consumer has the right to make a request to correct 525
inaccurate personal information to a controller that maintains 526
inaccurate personal information about the consumer. A controller 527
that receives a verifiable consumer request to correct 528
inaccurate personal information shall use commercially 529
reasonable efforts to correct the inaccurate personal 530
information as directed by the consumer and direct any 531
processors to correct such information within 90 calendar days 532
after receipt of the verifiable consumer request. If a 533
controller maintains a self -service mechanism to allow a 534
consumer to correct certain personal information, the controller 535
may require the consumer to correct their own personal 536
information through such mechanism. A controller or a processor 537
acting pursuant to its contract with the controller may not be 538
required to comply with a consumer's request to correct the 539
consumer's personal information if it i s reasonably necessary 540
for the controller or processor to maintain the consumer's 541
personal information to do any of the following: 542
1. Complete the transaction for which the personal 543
information was collected. 544
2. Fulfill the terms of a written warranty or product 545
recall conducted in accordance with federal law. 546
3. Detect security threats or incidents; protect against 547
malicious, deceptive, fraudulent, unauthorized, or illegal 548
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 23 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
activity or access; or prosecute those responsible for such 549
activity or access. 550
4. Debug to identify and repair errors that impair 551
existing intended functionality. 552
5. Enable solely internal uses that are reasonably aligned 553
with the expectations of the consumer based on the consumer's 554
relationship with the controller or that are compatible with the 555
context in which the consumer provided the information. 556
6. Comply with a legal obligation, including any state or 557
federal retention laws. 558
7. As reasonably needed to protect the controller's 559
interests against existing disputes, legal action, or 560
governmental investigations. 561
8. Assure the physical security of persons or property. 562
(6) RIGHT TO OPT-OUT OF THE SALE OR SHARING OF PERSONAL 563
INFORMATION.— 564
(a) A consumer has the right at any time to direct a 565
controller not to sell or shar e the consumer's personal 566
information to a third party. This right may be referred to as 567
the right to opt-out. 568
(b) Notwithstanding paragraph (a), a controller may not 569
sell or share the personal information of a minor consumer if 570
the controller has actual knowledge that the consumer is not 18 571
years of age or older. However, if a consumer who is between 13 572
and 18 years of age, or if the parent or guardian of a consumer 573
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 24 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
who is 12 years of age or younger, has affirmatively authorized 574
the sale or sharing of su ch consumer's personal information, 575
then a controller may sell or share such information in 576
accordance with this section. A controller that willfully 577
disregards the consumer's age is deemed to have actual knowledge 578
of the consumer's age. A controller that complies with the 579
verifiable parental consent requirements of the Children's 580
Online Privacy Protection Act, 15 U.S.C. s. 6501 et seq., shall 581
be deemed compliant with any obligation to obtain parental 582
consent. 583
(c) A controller that has received direction prohibiting 584
the sale or sharing of the consumer's personal information is 585
prohibited from selling or sharing the consumer's personal 586
information beginning 48 hours after receipt of such direction, 587
unless the consumer subsequently provides express authoriza tion 588
for the sale or sharing of the consumer's personal information. 589
(7) FORM TO OPT-OUT OF SALE OR SHARING OF PERSONAL 590
INFORMATION.— 591
(a) A controller shall: 592
1. In a form that is reasonably accessible to consumers, 593
provide a clear and conspicuous lin k on the controller's 594
Internet homepage, entitled "Do Not Sell or Share My Personal 595
Information," to an Internet webpage that enables a consumer, or 596
a person authorized by the consumer, to opt -out of the sale or 597
sharing of the consumer's personal informati on. A controller may 598
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 25 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
not require a consumer to create an account in order to direct 599
the controller not to sell the consumer's personal information. 600
A controller may accept a request to opt -out received through a 601
user-enabled global privacy control, such as a browser plug-in 602
or privacy setting, device setting, or other mechanism, which 603
communicates or signals the consumer's choice to opt out. 604
2. For consumers who opted -out of the sale or sharing of 605
their personal information, respect the consumer's decisio n to 606
opt-out for at least 12 months before requesting that the 607
consumer authorize the sale or sharing of the consumer's 608
personal information. 609
3. Use any personal information collected from the 610
consumer in connection with the submission of the consumer's 611
opt-out request solely for the purposes of complying with the 612
opt-out request. 613
(b) A consumer may authorize another person to opt -out of 614
the sale or sharing of the consumer's personal information on 615
the consumer's behalf pursuant to rules adopted by the 616
department. 617
(8) ACTIONS RELATED TO CONSUMERS WHO EXERCISE PRIVACY 618
RIGHTS.— 619
(a) A controller may charge a consumer who exercised any 620
of the consumer's rights under this section a different price or 621
rate, or provide a different level or quality of goods or 622
services to the consumer, only if that difference is reasonably 623
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 26 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
related to the value provided to the controller by the 624
consumer's data or is related to a consumer's voluntary 625
participation in a financial incentive program, including a bona 626
fide loyalty, rewards, premium features, discounts, or club card 627
program offered by the controller. 628
(b) A controller may offer financial incentives, including 629
payments to consumers as compensation, for the collection, 630
sharing, sale, or deletion of personal information if the 631
consumer gives the controller prior consent that clearly 632
describes the material terms of the financial incentive program. 633
The consent may be revoked by the consumer at any time. 634
(c) A controller may not use financial incentive practice s 635
that are unjust, unreasonable, coercive, or usurious in nature. 636
(9) CONTRACTS AND ROLES. — 637
(a) Any contract or agreement between a controller and a 638
processor must: 639
1. Prohibit the processor from selling, sharing, 640
retaining, using, or disclosing the personal information for any 641
purpose that violates this section; 642
2. Govern the processor's personal information processing 643
procedures with respect to processing performed on behalf of the 644
controller, including processing instructions, the nature and 645
purpose of processing, the type of information subject to 646
processing, the duration of processing, and the rights and 647
obligations of both the controller and processor; 648
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 27 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
3. Require the processor to return or delete all personal 649
information under the contract to the controller as requested by 650
the controller at the end of the provision of services, unless 651
retention of the information is required by law; and 652
4. Upon request of the controller, require the processor 653
to make available to the controller all personal information in 654
its possession under the contract or agreement. 655
(b) Determining whether a person is acting as a controller 656
or processor with respect to a specific processing of data is a 657
fact-based determination that depends upon the context in which 658
personal information is to be processed. The contract between a 659
controller and processor must reflect their respective roles and 660
relationships related to handling personal information. A 661
processor that continues to adhere to a controller's 662
instructions with re spect to a specific processing of personal 663
information remains a processor. 664
(c) A third party may not sell or share personal 665
information about a consumer that has been sold or shared to the 666
third party by a controller unless the consumer has received 667
explicit notice from the third party and is provided an 668
opportunity to opt-out by the third party. 669
(d) A processor or third party must require any 670
subcontractor to meet the same obligations of such processor or 671
third party with respect to personal informati on. 672
(e) A processor or third party or any subcontractor 673
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 28 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
thereof who violates any of the restrictions imposed upon it 674
under this section is liable or responsible for any failure to 675
comply with this section. 676
(f) Any provision of a contract or agreement of any kind 677
that waives or limits in any way a consumer's rights under this 678
section, including, but not limited to, any right to a remedy or 679
means of enforcement, is deemed contrary to public policy and is 680
void and unenforceable. This section does not prev ent a consumer 681
from declining to request information from a controller, 682
declining to opt-out of a controller's sale or sharing of the 683
consumer's personal information, or authorizing a controller to 684
sell or share the consumer's personal information after 685
previously opting out. 686
(10) CIVIL ACTIONS; PRIVATE RIGHT OF ACTION. — 687
(a) A Florida consumer may only bring a civil action 688
pursuant to this section against: 689
1. A controller, processor, or third party who has global 690
annual gross revenues of at least $50 million, but not more than 691
$500 million, as adjusted in January of every odd -numbered year 692
to reflect any increase in the Consumer Price Index. Upon 693
prevailing, the Florida consumer may be awarded relief described 694
in paragraph (c), but may not be awarded a ttorney fees or costs. 695
Any private claim solely based on this section against a 696
controller, processor, or third party who has global annual 697
gross revenues of less than $50 million, is barred. 698
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 29 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
2. A controller, processor, or third party who has global 699
annual gross revenues of more than $500 million, as adjusted in 700
January of every odd -numbered year to reflect any increase in 701
the Consumer Price Index. Upon prevailing, the Florida consumer 702
may be awarded relief described in paragraph (c), and shall 703
recover reasonable attorney fees and costs. 704
(b) A Florida consumer may only bring a civil action 705
pursuant to this section against a controller, processor, or 706
third party who meets a threshold in paragraph (a) for the 707
following actions: 708
1. Failure to delete or co rrect the consumer's personal 709
information pursuant to this section after receiving a 710
verifiable consumer request or directions to delete or correct 711
from a controller unless the controller, processor, or third 712
party qualifies for an exception to the require ments to delete 713
or correct under this section. 714
2. Continuing to sell or share the consumer's personal 715
information after the consumer chooses to opt -out pursuant to 716
this section. 717
3. Selling or sharing the personal information of the 718
consumer age 18 or y ounger without obtaining consent as required 719
by this section. 720
(c) A court may grant the following relief to a Florida 721
consumer: 722
1. Statutory damages in an amount not less than $100 and 723
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 30 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
not greater than $750 per consumer per incident or actual 724
damages, whichever is greater. 725
2. Injunctive or declaratory relief. 726
(d) A controller, processor, or third party may only be 727
awarded attorney fees if: 728
1. The case was dismissed with prejudice. 729
2. There was fraud on the part of the consumer. 730
3. The consumer is not a Florida consumer. 731
(e) A consumer must commence a civil action for a claim 732
under this section within 1 year after discovery of the 733
violation. 734
(f) Any action under this subsection may only be brought 735
by or on behalf of a Florida consumer. 736
(g) Liability for a tort, contract claim, or consumer 737
protection claim which is unrelated to an action brought under 738
this subsection or subsection (11) does not arise solely from 739
the failure of a controller, processor, or third party to comply 740
with this section and evidence of such may only be used as the 741
basis to prove a cause of action under this subsection. 742
(h) In assessing the amount of statutory damages, the 743
court shall consider any one or more of the relevant 744
circumstances presented by any of the parti es to the case, 745
including, but not limited to, the nature and seriousness of the 746
misconduct, the number of violations, the length of time over 747
which the misconduct occurred, and the defendant's assets, 748
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 31 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
liability, and net worth. 749
(11) ENFORCEMENT AND IMPLE MENTATION BY THE DEPARTMENT. — 750
(a) Any violation of this section is an unfair and 751
deceptive trade practice actionable under part II of chapter 501 752
solely by the department against a controller, processor, or 753
person. If the department has reason to believe that any 754
controller, processor, or third party is in violation of this 755
section, the department, as the enforcement authority, may bring 756
an action against such controller, processor, or third party for 757
an unfair or deceptive act or practice. For the purpos e of 758
bringing an action pursuant to this section, ss. 501.211 and 759
501.212 do not apply. Civil penalties may be tripled if the 760
violation: 761
1. Involves a Florida consumer who the controller, 762
processor, or third party has actual knowledge is 18 years of 763
age or younger; or 764
2. Is based on paragraph (10)(b). 765
(b) After the department has notified a controller, 766
processor, or third party in writing of an alleged violation, 767
the department may in its discretion grant a 45 -day period to 768
cure the alleged violation. The 45-day cure period does not 769
apply to a violation of subparagraph (10)(b)1. The department 770
may consider the number and frequency of violations, the 771
substantial likelihood of injury to the public, and the safety 772
of persons or property when determining w hether to grant 45 773
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 32 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
calendar days to cure and the issuance of a letter of guidance. 774
If the violation is cured to the satisfaction of the department 775
and proof of such cure is provided to the department, the 776
department in its discretion may issue a letter of guidance. If 777
the controller, processor, or third party fails to cure the 778
violation within 45 calendar days, the department may bring an 779
action against the controller, processor, or third party for the 780
alleged violation. 781
(c) Any action brought by the depa rtment may only be 782
brought on behalf of a Florida consumer. 783
(d) By February 1 of each year, the department shall 784
submit a report to the President of the Senate and the Speaker 785
of the House of Representatives describing any actions taken by 786
the department to enforce this section. The report shall include 787
statistics and relevant information detailing: 788
1. The number of complaints received; 789
2. The number and type of enforcement actions taken and 790
the outcomes of such actions; 791
3. The number of complaints resolved without the need for 792
litigation; and 793
4. The status of the development and implementation of 794
rules to implement this section. 795
(e) The department may adopt rules to implement this 796
section, including standards for verifiable consumer requests, 797
enforcement, data security, and authorized persons who may act 798
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 33 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
on a consumer's behalf. 799
(12) JURISDICTION.—For purposes of bringing an action in 800
accordance with subsections (10) and (11), any person who meets 801
the definition of controller as defined in this section that 802
collects, shares, or sells the personal information of Florida 803
consumers, is considered to be both engaged in substantial and 804
not isolated activities within this state and operating, 805
conducting, engaging in, or carrying on a business, and doin g 806
business in this state, and is therefore subject to the 807
jurisdiction of the courts of this state. 808
(13) PREEMPTION.—This section is a matter of statewide 809
concern and supersedes all rules, regulations, codes, 810
ordinances, and other laws adopted by a city, county, city and 811
county, municipality, or local agency regarding the collection, 812
processing, sharing, or sale of consumer personal information by 813
a controller or processor. The regulation of the collection, 814
processing, sharing, or sale of consumer persona l information by 815
a controller or processor is preempted to the state. 816
Section 2. Paragraph (g) of subsection (1) of section 817
501.171, Florida Statutes, is amended to read: 818
501.171 Security of confidential personal information. — 819
(1) DEFINITIONS.—As used in this section, the term: 820
(g)1. "Personal information" means either of the 821
following: 822
a. An individual's first name or first initial and last 823
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 34 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
name in combination with any one or more of the following data 824
elements for that individual: 825
(I) A social security number; 826
(II) A driver license or identification card number, 827
passport number, military identification number, or other 828
similar number issued on a government document used to verify 829
identity; 830
(III) A financial account number or credit or deb it card 831
number, in combination with any required security code, access 832
code, or password that is necessary to permit access to an 833
individual's financial account; 834
(IV) Any information regarding an individual's medical 835
history, mental or physical condition , or medical treatment or 836
diagnosis by a health care professional; or 837
(V) An individual's health insurance policy number or 838
subscriber identification number and any unique identifier used 839
by a health insurer to identify the individual. 840
(VI) An individual's biometric information or genetic 841
information as defined in s. 501.173(2). 842
b. A user name or e -mail address, in combination with a 843
password or security question and answer that would permit 844
access to an online account. 845
2. The term does not include information about an 846
individual that has been made publicly available by a federal, 847
state, or local governmental entity. The term also does not 848
CS/CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-02-c2
Page 35 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
include information that is encrypted, secured, or modified by 849
any other method or technology that removes eleme nts that 850
personally identify an individual or that otherwise renders the 851
information unusable. 852
Section 3. This act shall take effect January 1, 2023. 853