FL
Florida House Bill H0009

Florida 2022 Regular Session

Florida House Bill H0009 Compare Versions

OldNewDifferences
11
22
3-CS/CS/HB 9, Engrossed 1 2022
3+CS/CS/HB 9 2022
44
55
66
77 CODING: Words stricken are deletions; words underlined are additions.
8-hb0009-03-e1
8+hb0009-02-c2
99 Page 1 of 35
1010 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1111
1212
1313
1414 A bill to be entitled 1
1515 An act relating to consumer data privacy; creating s. 2
1616 501.173, F.S.; providing applicability; providing 3
1717 definitions; requiring controllers that collect a 4
1818 consumer's personal data to disclose certain 5
1919 information regarding data collection and selling 6
2020 practices to the consumer at or before the point of 7
2121 collection; specifying that such information may be 8
2222 provided through a general privacy policy or through a 9
2323 notice informing the consumer that additional specific 10
2424 information will be provided upon a certain reque st; 11
2525 prohibiting controllers from collecting additional 12
2626 categories of personal information or using personal 13
2727 information for additional purposes without notifying 14
2828 the consumer; requiring controllers that collect 15
2929 personal information to implement reasonable security 16
3030 procedures and practices to protect the information; 17
3131 authorizing consumers to request controllers to 18
3232 disclose the specific personal information the 19
3333 controller has collected about the consumer; requiring 20
3434 controllers to make available two or more me thods for 21
3535 consumers to request their personal information; 22
3636 requiring controllers to provide such information free 23
3737 of charge within a certain timeframe and in a certain 24
3838 format upon receiving a verifiable consumer request; 25
3939
40-CS/CS/HB 9, Engrossed 1 2022
40+CS/CS/HB 9 2022
4141
4242
4343
4444 CODING: Words stricken are deletions; words underlined are additions.
45-hb0009-03-e1
45+hb0009-02-c2
4646 Page 2 of 35
4747 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
4848
4949
5050
5151 specifying requirements for third p arties with respect 26
5252 to consumer information acquired or used; providing 27
5353 construction; authorizing consumers to request 28
5454 controllers to delete or correct personal information 29
5555 the controllers have collected about the consumers; 30
5656 providing exceptions; specifyin g requirements for 31
5757 controllers to comply with deletion or correction 32
5858 requests; authorizing consumers to opt out of third -33
5959 party disclosure of personal information collected by 34
6060 a controller; prohibiting controllers from selling or 35
6161 disclosing the personal inf ormation of consumers 36
6262 younger than a certain age, except under certain 37
6363 circumstances; prohibiting controllers from selling or 38
6464 sharing a consumer's information if the consumer has 39
6565 opted out of such disclosure; prohibiting controllers 40
6666 from taking certain act ions to retaliate against 41
6767 consumers who exercise certain rights; providing 42
6868 applicability; providing that a contract or agreement 43
6969 that waives or limits certain consumer rights is void 44
7070 and unenforceable; providing for civil actions and a 45
7171 private right of act ion for consumers under certain 46
7272 circumstances; providing civil remedies; authorizing 47
7373 the Department of Legal Affairs to bring an action 48
7474 under the Florida Unfair or Deceptive Trade Practices 49
7575 Act and to adopt rules; requiring the department to 50
7676
77-CS/CS/HB 9, Engrossed 1 2022
77+CS/CS/HB 9 2022
7878
7979
8080
8181 CODING: Words stricken are deletions; words underlined are additions.
82-hb0009-03-e1
82+hb0009-02-c2
8383 Page 3 of 35
8484 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
8585
8686
8787
8888 submit an annual report to the Legislature; providing 51
8989 report requirements; providing that controllers must 52
9090 have a specified timeframe to cure any violations; 53
9191 providing jurisdiction; declaring that the act is 54
9292 matter of statewide concern; preempting the 55
9393 collection, processing, sharing, and sale of consumer 56
9494 personal information to the state; amending s. 57
9595 501.171, F.S.; revising the definition of "personal 58
9696 information"; providing an effective date. 59
9797 60
9898 Be It Enacted by the Legislature of the State of Florida: 61
9999 62
100100 Section 1. Section 501.173, Florida Statutes, is created 63
101101 to read: 64
102102 501.173 Consumer data privacy. — 65
103103 (1) APPLICABILITY.—This section applies to any entity that 66
104104 meets the definition of controller, processor, or third party, 67
105105 and that buys, sells, or shares personal i nformation of Florida 68
106106 consumers. This section does not apply to entities that do not 69
107107 buy, sell, or share personal information of Florida consumers 70
108108 and such entities do not have to comply with this section. This 71
109109 section also does not apply to: 72
110110 (a) Personal information collected and transmitted that is 73
111111 necessary for the sole purpose of sharing such personal 74
112112 information with a financial service provider solely to 75
113113
114-CS/CS/HB 9, Engrossed 1 2022
114+CS/CS/HB 9 2022
115115
116116
117117
118118 CODING: Words stricken are deletions; words underlined are additions.
119-hb0009-03-e1
119+hb0009-02-c2
120120 Page 4 of 35
121121 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
122122
123123
124124
125125 facilitate short term, transactional payment processing for the 76
126126 purchase of products or services . 77
127127 (b) Personal information collected, used, retained, sold, 78
128128 shared, or disclosed as deidentified personal information or 79
129129 aggregate consumer information. 80
130130 (c) Compliance with federal, state, or local laws. 81
131131 (d) Compliance with a civil, criminal, or regu latory 82
132132 inquiry, investigation, subpoena, or summons by federal, state, 83
133133 or local authorities. 84
134134 (e) Cooperation with law enforcement agencies concerning 85
135135 conduct or activity that the controller, processor, or third 86
136136 party reasonably and in good faith believes may violate federal, 87
137137 state, or local law. 88
138138 (f) Exercising or defending legal claims. 89
139- (g) Personal information collected through the 90
140-controller's direct interactions with the consumer, if collected 91
141-in accordance with the provisions of this section, that is used 92
142-by the controller or the processor that the controller directly 93
139+ (g) Personal information obtained through the controller's 90
140+direct interactions with the consumer, if collected in 91
141+accordance with the provisions of this section, that is used by 92
142+the controller or the processor that the controller directly 93
143143 contracts with for advertising or marketing services to 94
144144 advertise or market products or services that are produced or 95
145145 offered directly by the controller. Such information may not be 96
146146 sold, shared, or disclosed unless otherwise authorized under 97
147147 this section. 98
148148 (h) Personal information of a person acting in the role of 99
149149 a job applicant, employee, owner, director, officer, contractor, 100
150150
151-CS/CS/HB 9, Engrossed 1 2022
151+CS/CS/HB 9 2022
152152
153153
154154
155155 CODING: Words stricken are deletions; words underlined are additions.
156-hb0009-03-e1
156+hb0009-02-c2
157157 Page 5 of 35
158158 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
159159
160160
161161
162162 volunteer, or intern of a controller, that is collected b y a 101
163163 controller, to the extent the personal information is collected 102
164164 and used solely within the context of the person's role or 103
165165 former role with the controller. 104
166166 (i) Protected health information for purposes of the 105
167167 federal Health Insurance Portability and Accountability Act of 106
168168 1996 and related regulations, and patient identifying 107
169169 information for purposes of 42 C.F.R. part 2, established 108
170170 pursuant to 42 U.S.C. s. 290dd -2. 109
171171 (j) A covered entity or business associate governed by the 110
172172 privacy, security, and breach notification rules issued by the 111
173173 United States Department of Health and Human Services in 45 112
174174 C.F.R. parts 160 and 164, or a program or a qualified service 113
175175 program as defined in 42 C.F.R. part 2, to the extent the 114
176176 covered entity, business associate, or program maintains 115
177177 personal information in the same manner as medical information 116
178178 or protected health information as described in paragraph (i), 117
179179 and as long as the covered entity, business associate, or 118
180180 program does not use personal information for targe ted 119
181181 advertising with third parties and does not sell or share 120
182182 personal information to a third party unless such sale or 121
183183 sharing is covered by an exception under this section. 122
184184 (k) Identifiable private information collected for 123
185185 purposes of research as defi ned in 45 C.F.R. s. 164.501 124
186186 conducted in accordance with the Federal Policy for the 125
187187
188-CS/CS/HB 9, Engrossed 1 2022
188+CS/CS/HB 9 2022
189189
190190
191191
192192 CODING: Words stricken are deletions; words underlined are additions.
193-hb0009-03-e1
193+hb0009-02-c2
194194 Page 6 of 35
195195 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
196196
197197
198198
199199 Protection of Human Subjects for purposes of 45 C.F.R. part 46, 126
200200 the good clinical practice guidelines issued by the 127
201201 International Council for Harmonisation of Technical 128
202202 Requirements for Pharmaceuticals for Human Use, or the 129
203203 Protection for Human Subjects for purposes of 21 C.F.R. parts 50 130
204204 and 56, or personal information that is used or shared in 131
205205 research conducted in accordance with one or more of these 132
206206 standards. 133
207207 (l) Information and documents created for purposes of the 134
208208 federal Health Care Quality Improvement Act of 1986 and related 135
209209 regulations, or patient safety work product for purposes of 42 136
210210 C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b -21 137
211211 through 299b-26. 138
212212 (m) Information that is deidentified in accordance with 45 139
213213 C.F.R. part 164 and derived from individually identifiable 140
214214 health information as described in the Health Insurance 141
215215 Portability and Accountability Act of 1996, or identifiable 142
216216 personal information, c onsistent with the Federal Policy for the 143
217217 Protection of Human Subjects or the human subject protection 144
218218 requirements of the United States Food and Drug Administration. 145
219219 (n) Information used only for public health activities and 146
220220 purposes as described in 45 C.F.R. s. 164.512. 147
221221 (o) Personal information collected, processed, sold, or 148
222222 disclosed pursuant to the federal Fair Credit Reporting Act, 15 149
223223 U.S.C. s. 1681 and implementing regulations. 150
224224
225-CS/CS/HB 9, Engrossed 1 2022
225+CS/CS/HB 9 2022
226226
227227
228228
229229 CODING: Words stricken are deletions; words underlined are additions.
230-hb0009-03-e1
230+hb0009-02-c2
231231 Page 7 of 35
232232 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
233233
234234
235235
236236 (p) Nonpublic personal information collected, processed, 151
237237 sold, or disclosed pursuant to the Gramm -Leach-Bliley Act, 15 152
238238 U.S.C. s. 6801 et seq., and implementing regulations. 153
239239 (q) A financial institution as defined in the Gramm -Leach-154
240240 Bliley Act, 15 U.S.C. s. 6801 et seq., to the extent the 155
241241 financial institution maintains pe rsonal information in the same 156
242242 manner as nonpublic personal information as described in 157
243243 paragraph (p), and as long as such financial institution does 158
244244 not use personal information for targeted advertising with third 159
245245 parties and does not sell or share person al information to a 160
246246 third party unless such sale or sharing is covered by an 161
247247 exception under this section. 162
248248 (r) Personal information collected, processed, sold, or 163
249249 disclosed pursuant to the federal Driver's Privacy Protection 164
250250 Act of 1994, 18 U.S.C. s. 272 1 et seq. 165
251251 (s) Education information covered by the Family 166
252252 Educational Rights and Privacy Act, 20 U.S.C. s. 1232(g) and 34 167
253253 C.F.R. part 99. 168
254254 (t) Information collected as part of public or peer -169
255255 reviewed scientific or statistical research in the public 170
256256 interest and that adheres to all other applicable ethics and 171
257257 privacy laws, if the consumer has provided informed consent. 172
258258 Research with personal information must be subjected by the 173
259259 controller conducting the research to additional security 174
260260 controls that limit access to the research data to only those 175
261261
262-CS/CS/HB 9, Engrossed 1 2022
262+CS/CS/HB 9 2022
263263
264264
265265
266266 CODING: Words stricken are deletions; words underlined are additions.
267-hb0009-03-e1
267+hb0009-02-c2
268268 Page 8 of 35
269269 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
270270
271271
272272
273273 individuals necessary to carry out the research purpose and 176
274274 subsequently deidentified. 177
275275 (u) Personal information disclosed for the purpose of 178
276276 responding to an alert of a present risk of harm to a person or 179
277277 property or prosecuting those responsible for that activity. 180
278278 (v) Personal information that is disclosed when a consumer 181
279279 uses or directs a controller to intentionally disclose 182
280280 information to a third party or uses the controller to 183
281281 intentionally interact with a t hird party. An intentional 184
282282 interaction occurs when the consumer intends to interact with 185
283283 the third party, by one or more deliberate interactions. 186
284284 Hovering over, muting, pausing, or closing a given piece of 187
285285 content does not constitute a consumer's intent to interact with 188
286286 a third party. 189
287287 (w) An identifier used for a consumer who has opted out of 190
288288 the sale or sharing of the consumer's personal information for 191
289289 the sole purpose of alerting processors and third parties that 192
290290 the consumer has opted out of the sale or sharing of the 193
291291 consumer's personal information. 194
292292 (x) Personal information transferred by a controller to a 195
293293 third party as an asset that is part of a merger, acquisition, 196
294294 bankruptcy, or other transaction in which the third party 197
295295 assumes control of all o r part of the controller, provided that 198
296296 information is used or shared consistently with this section. If 199
297297 a third party materially alters how it uses or shares the 200
298298
299-CS/CS/HB 9, Engrossed 1 2022
299+CS/CS/HB 9 2022
300300
301301
302302
303303 CODING: Words stricken are deletions; words underlined are additions.
304-hb0009-03-e1
304+hb0009-02-c2
305305 Page 9 of 35
306306 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
307307
308308
309309
310310 personal information of a consumer in a manner that is 201
311311 materially inconsistent with the commi tments or promises made at 202
312312 the time of collection, it shall provide prior notice of the new 203
313313 or changed practice to the consumer. The notice must be 204
314314 sufficiently prominent and robust to ensure that consumers can 205
315315 easily exercise choices consistent with this section. 206
316- (y) Personal information necessary to fulfill the terms of 207
317-a written warranty when such warranty was purchased by the 208
318-consumer or the product that is warranted was purchased by the 209
319-consumer. Such information may not be sold or shared unless 210
320-otherwise authorized under this section. 211
321- (z) Personal information necessary for a product recall 212
322-for a product purchased or owned by the consumer conducted in 213
323-accordance with federal law. Such information may not be sold or 214
324-shared unless otherwise authorized under this section. 215
325- (aa) Personal information processed solely for the purpose 216
326-of independently measuring or reporting advertising or content 217
327-performance, reach, or frequency pursuant to a contract with a 218
328-controller that collected personal information i n accordance 219
329-with this section. Such information may not be sold or shared 220
330-unless otherwise authorized under this section. 221
331- (2) DEFINITIONS.—As used in this section, the term: 222
332- (a) "Aggregate consumer information" means information 223
333-that relates to a grou p or category of consumers, from which the 224
334-identity of an individual consumer has been removed and is not 225
316+ (2) DEFINITIONS.—As used in this section, the term: 207
317+ (a) "Aggregate consumer information" means information 208
318+that relates to a group or category of consumers, from which the 209
319+identity of an individual consumer has been removed and is not 210
320+reasonably capable of being directly or indirectly associated or 211
321+linked with, any consumer, household, or device. The term does 212
322+not include personal information that has been deidentified. 213
323+ (b) "Biometric information" means an individual's 214
324+physiological, biologic al, or behavioral characteristics that 215
325+can be used, singly or in combination with each other or with 216
326+other identifying data, to establish individual identity. The 217
327+term includes, but is not limited to, imagery of the iris, 218
328+retina, fingerprint, face, hand, p alm, vein patterns, and voice 219
329+recordings, from which an identifier template, such as a 220
330+faceprint, a minutiae template, or a voiceprint, can be 221
331+extracted, and keystroke patterns or rhythms, gait patterns or 222
332+rhythms, and sleep, health, or exercise data that contain 223
333+identifying information. 224
334+ (c) "Collect" means to buy, rent, gather, obtain, receive, 225
335335
336-CS/CS/HB 9, Engrossed 1 2022
336+CS/CS/HB 9 2022
337337
338338
339339
340340 CODING: Words stricken are deletions; words underlined are additions.
341-hb0009-03-e1
341+hb0009-02-c2
342342 Page 10 of 35
343343 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
344344
345345
346346
347-reasonably capable of being directly or indirectly associated or 226
348-linked with, any consumer, household, or device. The term does 227
349-not include personal i nformation that has been deidentified. 228
350- (b) "Biometric information" means an individual's 229
351-physiological, biological, or behavioral characteristics that 230
352-can be used, singly or in combination with each other or with 231
353-other identifying data, to establish indi vidual identity. The 232
354-term includes, but is not limited to, imagery of the iris, 233
355-retina, fingerprint, face, hand, palm, vein patterns, and voice 234
356-recordings, from which an identifier template, such as a 235
357-faceprint, a minutiae template, or a voiceprint, can be 236
358-extracted, and keystroke patterns or rhythms, gait patterns or 237
359-rhythms, and sleep, health, or exercise data that contain 238
360-identifying information. 239
361- (c) "Collect" means to buy, rent, gather, obtain, receive, 240
362-or access any personal information pertaining to a consumer by 241
363-any means. The term includes, but is not limited to, actively or 242
364-passively receiving information from the consumer or by 243
365-observing the consumer's behavior or actions. 244
366- (d) "Consumer" means a natural person who resides in or is 245
367-domiciled in this state, however identified, including by any 246
368-unique identifier, who is acting in a personal capacity or 247
369-household context. The term does not include a natural person 248
370-acting on behalf of a legal entity in a commercial or employment 249
371-context. 250
347+or access any personal information pertaining to a consumer by 226
348+any means. The term includes, but is not limited to, actively or 227
349+passively receiving information fr om the consumer or by 228
350+observing the consumer's behavior or actions. 229
351+ (d) "Consumer" means a natural person who resides in or is 230
352+domiciled in this state, however identified, including by any 231
353+unique identifier, who is acting in a personal capacity or 232
354+household context. The term does not include a natural person 233
355+acting on behalf of a legal entity in a commercial or employment 234
356+context. 235
357+ (e) "Controller" means: 236
358+ 1. A sole proprietorship, partnership, limited liability 237
359+company, corporation, association, or leg al entity that meets 238
360+the following requirements: 239
361+ a. Is organized or operated for the profit or financial 240
362+benefit of its shareholders or owners; 241
363+ b. Does business in this state; 242
364+ c. Collects personal information about consumers, or is 243
365+the entity on behalf of which such information is collected; 244
366+ d. Determines the purposes and means of processing 245
367+personal information about consumers alone or jointly with 246
368+others; and 247
369+ e. Satisfies at least two of the following thresholds: 248
370+ (I) Has global annual gross re venues in excess of $50 249
371+million, as adjusted in January of every odd -numbered year to 250
372372
373-CS/CS/HB 9, Engrossed 1 2022
373+CS/CS/HB 9 2022
374374
375375
376376
377377 CODING: Words stricken are deletions; words underlined are additions.
378-hb0009-03-e1
378+hb0009-02-c2
379379 Page 11 of 35
380380 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
381381
382382
383383
384- (e) "Controller" means: 251
385- 1. A sole proprietorship, partnership, limited liability 252
386-company, corporation, association, or legal entity that meets 253
387-the following requirements: 254
388- a. Is organized or operated for the profit or financial 255
389-benefit of its shareholders or owne rs; 256
390- b. Does business in this state; 257
391- c. Collects personal information about consumers, or is 258
392-the entity on behalf of which such information is collected; 259
393- d. Determines the purposes and means of processing 260
394-personal information about consumers alone or jointly with 261
395-others; and 262
396- e. Satisfies at least two of the following thresholds: 263
397- (I) Has global annual gross revenues in excess of $50 264
398-million, as adjusted in January of every odd -numbered year to 265
399-reflect any increase in the Consumer Price Index. 266
400- (II) Annually buys, sells, or shares the personal 267
401-information of 50,000 or more consumers, households, and devices 268
402-for the purpose of targeted advertising in conjunction with 269
403-third parties. The 50,000 total only includes personal 270
404-information that is bought, so ld, or shared within the previous 271
405-12 months. 272
406- (III) Derives 50 percent or more of its global annual 273
407-revenues from selling or sharing personal information about 274
408-consumers. 275
384+reflect any increase in the Consumer Price Index. 251
385+ (II) Annually buys, sells, or shares the personal 252
386+information of 50,000 or more consumers, households, and devices 253
387+for the purpose of targeted advertising in conjunction with 254
388+third parties. The 50,000 total only includes personal 255
389+information that is bought, sold, or shared within the previous 256
390+12 months. 257
391+ (III) Derives 50 percent or more of its global annual 258
392+revenues from selling or sharing personal information about 259
393+consumers. 260
394+ 2. Any entity that controls or is controlled by a 261
395+controller. As used in this subparagraph, the term "control" 262
396+means: 263
397+ a. Ownership of, or the power to vote, more than 50 264
398+percent of the outstanding shares of any class of voting 265
399+security of a controller; 266
400+ b. Control in any manner over the election of a majority 267
401+of the directors, or of individuals exercising similar 268
402+functions; or 269
403+ c. The power to exercise a controlling influence over the 270
404+management of a company. 271
405+ (f) "Deidentified" means information that cannot 272
406+reasonably be used to infer information about or otherwise be 273
407+linked to a particular consumer, provided that the controller 274
408+that possesses the information: 275
409409
410-CS/CS/HB 9, Engrossed 1 2022
410+CS/CS/HB 9 2022
411411
412412
413413
414414 CODING: Words stricken are deletions; words underlined are additions.
415-hb0009-03-e1
415+hb0009-02-c2
416416 Page 12 of 35
417417 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
418418
419419
420420
421- 2. Any entity that controls or is controlled by a 276
422-controller. As used in this subp aragraph, the term "control" 277
423-means: 278
424- a. Ownership of, or the power to vote, more than 50 279
425-percent of the outstanding shares of any class of voting 280
426-security of a controller; 281
427- b. Control in any manner over the election of a majority 282
428-of the directors, or of individuals exercising similar 283
429-functions; or 284
430- c. The power to exercise a controlling influence over the 285
431-management of a company. 286
432- (f) "Deidentified" means information that cannot 287
433-reasonably be used to infer information about or otherwise be 288
434-linked to a particular consumer, provided that the controller 289
435-that possesses the information: 290
436- 1. Takes reasonable measures to ensure that the 291
437-information cannot be associated with a specific consumer; 292
438- 2. Maintains and uses the information in deidentified form 293
439-and not to attempt to reidentify the information, except that 294
440-the controller may attempt to reidentify the information solely 295
441-for the purpose of determining whether its deidentification 296
442-processes satisfy the requirements of this paragraph; and 297
443- 3. Contractually obligates any recipients of the 298
444-information to comply with all the provisions of this paragraph 299
445-to avoid reidentifying such information. 300
421+ 1. Takes reasonable me asures to ensure that the 276
422+information cannot be associated with a specific consumer; 277
423+ 2. Maintains and uses the information in deidentified form 278
424+and not to attempt to reidentify the information, except that 279
425+the controller may attempt to reidentify the inf ormation solely 280
426+for the purpose of determining whether its deidentification 281
427+processes satisfy the requirements of this paragraph; and 282
428+ 3. Contractually obligates any recipients of the 283
429+information to comply with all the provisions of this paragraph 284
430+to avoid reidentifying such information. 285
431+ (g) "Department" means the Department of Legal Affairs. 286
432+ (h) "Device" means a physical object associated with a 287
433+consumer or household capable of directly or indirectly 288
434+connecting to the Internet. 289
435+ (i) "Genetic informat ion" means an individual's 290
436+deoxyribonucleic acid (DNA). 291
437+ (j) "Homepage" means the introductory page of an Internet 292
438+website and any Internet webpage where personal information is 293
439+collected. In the case of a mobile application, the homepage is 294
440+the application's platform page or download page, a link within 295
441+the application, such as the "About" or "Information" 296
442+application configurations, or settings page, and any other 297
443+location that allows consumers to review the notice required by 298
444+subsection (7), including, but not limited to, before 299
445+downloading the application. 300
446446
447-CS/CS/HB 9, Engrossed 1 2022
447+CS/CS/HB 9 2022
448448
449449
450450
451451 CODING: Words stricken are deletions; words underlined are additions.
452-hb0009-03-e1
452+hb0009-02-c2
453453 Page 13 of 35
454454 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
455455
456456
457457
458- (g) "Department" means the Department of Legal Affairs. 301
459- (h) "Device" means a physical object associated with a 302
460-consumer or household capable of directly or indirectly 303
461-connecting to the Internet. 304
462- (i) "Genetic information" means an individual's 305
463-deoxyribonucleic acid (DNA). 306
464- (j) "Homepage" means the introductory page of an Internet 307
465-website and any Internet webpage wh ere personal information is 308
466-collected. In the case of a mobile application, the homepage is 309
467-the application's platform page or download page, a link within 310
468-the application, such as the "About" or "Information" 311
469-application configurations, or settings page, and any other 312
470-location that allows consumers to review the notice required by 313
471-subsection (7), including, but not limited to, before 314
472-downloading the application. 315
473- (k) "Household" means a natural person or a group of 316
474-people in this state who reside at the s ame address, share a 317
475-common device or the same service provided by a controller, and 318
476-are identified by a controller as sharing the same group account 319
477-or unique identifier. 320
478- (l) "Personal information" means information that is 321
479-linked or reasonably linkable to an identified or identifiable 322
480-consumer or household, including biometric information, genetic 323
481-information, and unique identifiers to the consumer. The term 324
482-does not include consumer information that is: 325
458+ (k) "Household" means a natural person or a group of 301
459+people in this state who reside at the same address, share a 302
460+common device or the same service provided by a controller, and 303
461+are identified by a controller as sharing the same group account 304
462+or unique identifier. 305
463+ (l) "Personal information" means information that is 306
464+linked or reasonably linkable to an identified or identifiable 307
465+consumer or household, including biometric information, genetic 308
466+information, and unique identifiers to the consumer. The term 309
467+does not include consumer information that is: 310
468+ 1. Consumer employment contact information, including a 311
469+position name or title, employment qualifications, emergency 312
470+contact information, business telep hone number, business 313
471+electronic mail address, employee benefit information, and 314
472+similar information used solely in an employment context. 315
473+ 2. Deidentified or aggregate consumer information. 316
474+ 3. Publicly and lawfully available information reasonably 317
475+believed to be made available to the public in a lawful manner 318
476+and without legal restrictions: 319
477+ a. From federal, state, or local government records. 320
478+ b. By a widely distributed media source. 321
479+ c. By the consumer or by someone to whom the consumer 322
480+disclosed the information unless the consumer has purposely and 323
481+effectively restricted the information to a certain audience on 324
482+a private account. 325
483483
484-CS/CS/HB 9, Engrossed 1 2022
484+CS/CS/HB 9 2022
485485
486486
487487
488488 CODING: Words stricken are deletions; words underlined are additions.
489-hb0009-03-e1
489+hb0009-02-c2
490490 Page 14 of 35
491491 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
492492
493493
494494
495- 1. Consumer employment contact information, inc luding a 326
496-position name or title, employment qualifications, emergency 327
497-contact information, business telephone number, business 328
498-electronic mail address, employee benefit information, and 329
499-similar information used solely in an employment context. 330
500- 2. Deidentified or aggregate consumer information. 331
501- 3. Publicly and lawfully available information reasonably 332
502-believed to be made available to the general public: 333
503- a. From federal, state, or local government records. 334
504- b. By a widely distributed media source. 335
505- c. By the consumer or by someone to whom the consumer 336
506-disclosed the information unless the consumer has purposely and 337
507-effectively restricted the information to a certain audience on 338
508-a private account. 339
509- (m) "Processing" means any operation or set of operatio ns 340
510-that are performed on personal information or on sets of 341
511-personal information, whether or not by automated means. 342
512- (n) "Processor" means a sole proprietorship, partnership, 343
513-limited liability company, corporation, association, or other 344
514-legal entity that is organized or operated for the profit or 345
515-financial benefit of its shareholders or other owners, that 346
516-processes information on behalf of a controller and to which the 347
517-controller discloses a consumer's personal information pursuant 348
518-to a written contract, provided that the contract prohibits the 349
519-entity receiving the information from retaining, using, or 350
495+ (m) "Processing" means any operation or set of operations 326
496+that are performed on personal information or on sets of 327
497+personal information, whether or not by automated means. 328
498+ (n) "Processor" means a sole proprietorship, partnership, 329
499+limited liability company, corporation, association, or other 330
500+legal entity that is organized or operated for the profit or 331
501+financial benefit of its shareholders or other owners, that 332
502+processes information on behalf of a controller and to which the 333
503+controller discloses a consumer's personal information pursuant 334
504+to a written contract, provided that the contract prohibits the 335
505+entity receiving the i nformation from retaining, using, or 336
506+disclosing the personal information for any purpose other than 337
507+for the specific purpose of performing the services specified in 338
508+the contract for the controller, as permitted by this section. 339
509+ (o) "Sell" means to sell, rent, release, disclose, 340
510+disseminate, make available, transfer, or otherwise communicate 341
511+orally, in writing, or by electronic or other means, a 342
512+consumer's personal information by a controller to another 343
513+controller or a third party for monetary or other val uable 344
514+consideration. 345
515+ (p) "Share" means to share, rent, release, disclose, 346
516+disseminate, make available, transfer, or access a consumer's 347
517+personal information for advertising or marketing. The term 348
518+includes: 349
519+ 1. Allowing a third party to use or advertise or market to 350
520520
521-CS/CS/HB 9, Engrossed 1 2022
521+CS/CS/HB 9 2022
522522
523523
524524
525525 CODING: Words stricken are deletions; words underlined are additions.
526-hb0009-03-e1
526+hb0009-02-c2
527527 Page 15 of 35
528528 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
529529
530530
531531
532-disclosing the personal information for any purpose other than 351
533-for the specific purpose of performing the services specified in 352
534-the contract for the control ler, as permitted by this section. 353
535- (o) "Sell" means to sell, rent, release, disclose, 354
536-disseminate, make available, transfer, or otherwise communicate 355
537-orally, in writing, or by electronic or other means, a 356
538-consumer's personal information by a controller t o another 357
539-controller or a third party for monetary or other valuable 358
540-consideration. 359
541- (p) "Share" means to share, rent, release, disclose, 360
542-disseminate, make available, transfer, or access a consumer's 361
543-personal information for advertising or marketing. The term 362
544-includes: 363
545- 1. Allowing a third party to advertise or market to a 364
546-consumer based on a consumer's personal information without 365
547-disclosure of the personal information to the third party. 366
548- 2. Monetary transactions, nonmonetary transactions, and 367
549-transactions for other valuable consideration between a 368
550-controller and a third party for advertising or marketing. 369
551- (q) "Targeted advertising" means marketing to a consumer 370
552-or displaying an advertisement to a consumer when the 371
553-advertisement is selected ba sed on personal information used to 372
554-predict such consumer's preferences or interests. 373
555- (r) "Third party" means a person who is not the controller 374
556-or the processor. 375
532+a consumer based on a consumer's personal information without 351
533+disclosure of the personal information to the third party. 352
534+ 2. Monetary transactions, nonmonetary transactions, and 353
535+transactions for other valuable consideration between a 354
536+controller and a third party for advertising or marketing for 355
537+the benefit of a controller. 356
538+ (q) "Targeted advertising" means marketing to a consumer 357
539+or displaying an advertisement to a consumer when the 358
540+advertisement is selected based on personal information used to 359
541+predict such consumer's preferences or interests. 360
542+ (r) "Third party" means a person who is not the controller 361
543+or the processor. 362
544+ (s) "Verifiable consumer request" means a request related 363
545+to personal information that is made by a consumer, by a parent 364
546+or guardian on behalf of a consumer who is a minor child, or by 365
547+a person authorized by the consumer to act on the consumer's 366
548+behalf, in a form that is reasonably and readily accessible to 367
549+consumers and that the controller can reasonably verify to be 368
550+the consumer, pursuant to rules adopted by the department. 369
551+ (3) CONSUMER DATA COLLECTION REQUIREMENTS AND 370
552+RESPONSIBILITIES.— 371
553+ (a) A controller that collects personal information about 372
554+consumers shall maintain an up -to-date online privacy policy and 373
555+make such policy available from its homepage. The online privacy 374
556+policy must include the following information: 375
557557
558-CS/CS/HB 9, Engrossed 1 2022
558+CS/CS/HB 9 2022
559559
560560
561561
562562 CODING: Words stricken are deletions; words underlined are additions.
563-hb0009-03-e1
563+hb0009-02-c2
564564 Page 16 of 35
565565 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
566566
567567
568568
569- (s) "Verifiable consumer request" means a request related 376
570-to personal information that is made by a consumer, by a parent 377
571-or guardian on behalf of a consumer who is a minor child, or by 378
572-a person authorized by the consumer to act on the consumer's 379
573-behalf, in a form that is reasonably and readily accessible to 380
574-consumers and that the controller c an reasonably verify to be 381
575-the consumer, pursuant to rules adopted by the department. 382
576- (3) CONSUMER DATA COLLECTION REQUIREMENTS AND 383
577-RESPONSIBILITIES.— 384
578- (a) A controller that collects personal information about 385
579-consumers shall maintain an up -to-date online privacy policy and 386
580-make such policy available from its homepage. The online privacy 387
581-policy must include the following information: 388
582- 1. Any Florida-specific consumer privacy rights. 389
583- 2. A list of the types and categories of personal 390
584-information the controller collects, sells, or shares, or has 391
585-collected, sold, or shared, about consumers. 392
586- 3. The consumer's right to request deletion or correction 393
587-of certain personal information. 394
588- 4. The consumer's right to opt -out of the sale or sharing 395
589-to third parties. 396
590- (b) A controller that collects personal information from 397
591-the consumer shall, at or before the point of collection, 398
592-inform, or direct the processor to inform, consumers of the 399
593-categories of personal information to be collected and the 400
569+ 1. Any Florida-specific consumer privacy rights. 376
570+ 2. A list of the types and categories of personal 377
571+information the controller collects, sells, or shar es, or has 378
572+collected, sold, or shared, about consumers. 379
573+ 3. The consumer's right to request deletion or correction 380
574+of certain personal information. 381
575+ 4. The consumer's right to opt -out of the sale or sharing 382
576+to third parties. 383
577+ (b) A controller that colle cts personal information shall, 384
578+at or before the point of collection, inform, or direct the 385
579+processor to inform, consumers of the categories of personal 386
580+information to be collected and the purposes for which the 387
581+categories of personal information will be u sed. 388
582+ (c) A controller may not collect additional categories of 389
583+personal information or use personal information collected for 390
584+additional purposes without providing the consumer with notice 391
585+consistent with this section. 392
586+ (d) A controller that collects a consumer's personal 393
587+information shall implement and maintain reasonable security 394
588+procedures and practices appropriate to the nature of the 395
589+personal information to protect the personal information from 396
590+unauthorized or illegal access, destruction, use, modif ication, 397
591+or disclosure. 398
592+ (e) A controller shall adopt and implement a retention 399
593+schedule that prohibits the use or retention of personal 400
594594
595-CS/CS/HB 9, Engrossed 1 2022
595+CS/CS/HB 9 2022
596596
597597
598598
599599 CODING: Words stricken are deletions; words underlined are additions.
600-hb0009-03-e1
600+hb0009-02-c2
601601 Page 17 of 35
602602 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
603603
604604
605605
606-purposes for which the categories of personal information will 401
607-be used. 402
608- (c) A controller may not collect additional categories of 403
609-personal information or use personal information collected for 404
610-additional purposes without providing the consumer with notice 405
611-consistent with this section. 406
612- (d) A controller that collects a consumer's personal 407
613-information shall implement and maintain reasonable security 408
614-procedures and practices appropriate to the nature of the 409
615-personal information to protect the personal information from 410
616-unauthorized or illegal access, destruction, use, modification, 411
617-or disclosure. 412
618- (e) A controller shall adopt and implement a retention 413
619-schedule that prohibits the use or retention of personal 414
620-information not subject to an exemption by the controller or 415
621-processor after the satisfaction of the initial purpose for 416
622-which such information was collected or obtained, after the 417
623-expiration or termination of the contract pursuant to which the 418
624-information was collected or obtained, or 3 years after the 419
625-consumer's last interaction with the controller. This paragraph 420
626-does not apply to personal information reasonably used or 421
627-retained to do any of the following: 422
628- 1. Fulfill the terms of a written warranty or product 423
629-recall conducted in accordance with federal law. 424
630- 2. Provide a good or service requested by the consumer, or 425
606+information not subject to an exemption by the controller or 401
607+processor after the satisfaction of the initial purpose f or 402
608+which such information was collected or obtained, after the 403
609+expiration or termination of the contract pursuant to which the 404
610+information was collected or obtained, or 3 years after the 405
611+consumer's last interaction with the controller. This paragraph 406
612+does not apply to personal information reasonably used or 407
613+retained to do any of the following: 408
614+ 1. Fulfill the terms of a written warranty or product 409
615+recall conducted in accordance with federal law. 410
616+ 2. Provide a good or service requested by the consumer, or 411
617+reasonably anticipate the request of such good or service within 412
618+the context of a controller's ongoing business relationship with 413
619+the consumer. 414
620+ 3. Detect security threats or incidents; protect against 415
621+malicious, deceptive, fraudulent, unauthorized, or il legal 416
622+activity or access; or prosecute those responsible for such 417
623+activity or access. 418
624+ 4. Debug to identify and repair errors that impair 419
625+existing intended functionality. 420
626+ 5. Engage in public or peer -reviewed scientific, 421
627+historical, or statistical resear ch in the public interest that 422
628+adheres to all other applicable ethics and privacy laws when the 423
629+controller's deletion of the information is likely to render 424
630+impossible or seriously impair the achievement of such research, 425
631631
632-CS/CS/HB 9, Engrossed 1 2022
632+CS/CS/HB 9 2022
633633
634634
635635
636636 CODING: Words stricken are deletions; words underlined are additions.
637-hb0009-03-e1
637+hb0009-02-c2
638638 Page 18 of 35
639639 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
640640
641641
642642
643-reasonably anticipate the request of such good or service within 426
644-the context of a controller's ongoing business relationship with 427
645-the consumer. 428
646- 3. Detect security threats or incidents; protect again st 429
647-malicious, deceptive, fraudulent, unauthorized, or illegal 430
648-activity or access; or prosecute those responsible for such 431
649-activity or access. 432
650- 4. Debug to identify and repair errors that impair 433
651-existing intended functionality. 434
652- 5. Engage in public or pee r-reviewed scientific, 435
653-historical, or statistical research in the public interest that 436
654-adheres to all other applicable ethics and privacy laws when the 437
655-controller's deletion of the information is likely to render 438
656-impossible or seriously impair the achievem ent of such research, 439
657-if the consumer has provided informed consent. 440
658- 6. Enable solely internal uses that are reasonably aligned 441
659-with the expectations of the consumer based on the consumer's 442
660-relationship with the controller or that are compatible with the 443
661-context in which the consumer provided the information. 444
662- 7. Comply with a legal obligation, including any state or 445
663-federal retention laws. 446
664- 8. As reasonably needed to protect the controller's 447
665-interests against existing disputes, legal action, or 448
666-governmental investigations. 449
667- 9. Assure the physical security of persons or property. 450
643+if the consumer has provided infor med consent. 426
644+ 6. Enable solely internal uses that are reasonably aligned 427
645+with the expectations of the consumer based on the consumer's 428
646+relationship with the controller or that are compatible with the 429
647+context in which the consumer provided the information. 430
648+ 7. Comply with a legal obligation, including any state or 431
649+federal retention laws. 432
650+ 8. As reasonably needed to protect the controller's 433
651+interests against existing disputes, legal action, or 434
652+governmental investigations. 435
653+ 9. Assure the physical security of persons or property. 436
654+ (4) CONSUMER RIGHT TO REQUEST COPY OF PERSONAL DATA 437
655+COLLECTED, SOLD, OR SHARED. 438
656+ (a) A consumer has the right to request that a controller 439
657+that collects, sells, or shares personal information about the 440
658+consumer to disclose the f ollowing to the consumer: 441
659+ 1. The specific pieces of personal information that have 442
660+been collected about the consumer. 443
661+ 2. The categories of sources from which the consumer's 444
662+personal information was collected. 445
663+ 3. The specific pieces of personal inform ation about the 446
664+consumer that were sold or shared. 447
665+ 4. The third parties to which the personal information 448
666+about the consumer was sold or shared. 449
667+ 5. The categories of personal information about the 450
668668
669-CS/CS/HB 9, Engrossed 1 2022
669+CS/CS/HB 9 2022
670670
671671
672672
673673 CODING: Words stricken are deletions; words underlined are additions.
674-hb0009-03-e1
674+hb0009-02-c2
675675 Page 19 of 35
676676 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
677677
678678
679679
680- (4) CONSUMER RIGHT TO REQUEST COPY OF PERSONAL DATA 451
681-COLLECTED, SOLD, OR SHARED. — 452
682- (a) A consumer has the right to request that a controller 453
683-that collects, sells, or shares p ersonal information about the 454
684-consumer to disclose the following to the consumer: 455
685- 1. The specific pieces of personal information that have 456
686-been collected about the consumer. 457
687- 2. The categories of sources from which the consumer's 458
688-personal information wa s collected. 459
689- 3. The specific pieces of personal information about the 460
690-consumer that were sold or shared. 461
691- 4. The third parties to which the personal information 462
692-about the consumer was sold or shared. 463
693- 5. The categories of personal information about the 464
694-consumer that were disclosed to a processor. 465
695- (b) A controller that collects, sells, or shares personal 466
696-information about a consumer shall disclose the information 467
697-specified in paragraph (a) to the consumer upon receipt of a 468
698-verifiable consumer request. 469
699- (c) This subsection does not require a controller to 470
700-retain, reidentify, or otherwise link any data that, in the 471
701-ordinary course of business is not maintained in a manner that 472
702-would be considered personal information. 473
703- (d) The controller shall deliver t he information required 474
704-or act on the request in this subsection to a consumer free of 475
680+consumer that were disclosed to a processor. 451
681+ (b) A controller that collects, sells, or shares personal 452
682+information about a consumer shall disclose the information 453
683+specified in paragraph (a) to the consumer upon receipt of a 454
684+verifiable consumer request. 455
685+ (c) This subsection does not require a controller to 456
686+retain, reidentify, or otherwise link any data that, in the 457
687+ordinary course of business is not maintained in a manner that 458
688+would be considered personal information. 459
689+ (d) The controller shall deliver the information required 460
690+or act on the request in this subsection to a consumer free of 461
691+charge within 45 calendar days after receiving a verifiable 462
692+consumer request. The response period may be extended once by 45 463
693+additional calendar days when reasonably necessary, provided the 464
694+controller informs the consumer o f any such extension within the 465
695+initial 45-day response period and the reason for the extension. 466
696+The information must be delivered in a readily usable format. A 467
697+controller is not obligated to provide information to the 468
698+consumer if the consumer or a person authorized to act on the 469
699+consumer's behalf does not provide verification of identity or 470
700+verification of authorization to act with the permission of the 471
701+consumer. 472
702+ (e) A controller may provide personal information to a 473
703+consumer at any time, but is not requ ired to provide personal 474
704+information to a consumer more than twice in a 12 -month period. 475
705705
706-CS/CS/HB 9, Engrossed 1 2022
706+CS/CS/HB 9 2022
707707
708708
709709
710710 CODING: Words stricken are deletions; words underlined are additions.
711-hb0009-03-e1
711+hb0009-02-c2
712712 Page 20 of 35
713713 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
714714
715715
716716
717-charge within 45 calendar days after receiving a verifiable 476
718-consumer request. The response period may be extended once by 45 477
719-additional calendar days when reasonably nec essary, provided the 478
720-controller informs the consumer of any such extension within the 479
721-initial 45-day response period and the reason for the extension. 480
722-The information must be delivered in a readily usable format. A 481
723-controller is not obligated to provide in formation to the 482
724-consumer if the consumer or a person authorized to act on the 483
725-consumer's behalf does not provide verification of identity or 484
726-verification of authorization to act with the permission of the 485
727-consumer. 486
728- (e) A controller may provide personal information to a 487
729-consumer at any time, but is not required to provide personal 488
730-information to a consumer more than twice in a 12 -month period. 489
731- (f) This subsection does not apply to personal information 490
732-relating solely to households. 491
733- (5) RIGHT TO HAVE P ERSONAL INFORMATION DELETED OR 492
734-CORRECTED.— 493
735- (a) A consumer has the right to request that a controller 494
736-delete any personal information about the consumer which the 495
737-controller has collected. 496
738- 1. A controller that receives a verifiable consumer 497
739-request to delete the consumer's personal information shall 498
740-delete the consumer's personal information from its records and 499
741-direct any processors to delete such information within 90 500
717+ (f) This subsection does not apply to personal information 476
718+relating solely to households. 477
719+ (5) RIGHT TO HAVE PERSONAL INFORMATION DELETED OR 478
720+CORRECTED.— 479
721+ (a) A consumer has the right to request that a controller 480
722+delete any personal information about the consumer which the 481
723+controller has collected from the consumer. 482
724+ 1. A controller that receives a verifiable consumer 483
725+request to delete the consumer's personal inform ation shall 484
726+delete the consumer's personal information from its records and 485
727+direct any processors to delete such information within 90 486
728+calendar days of receipt of the verifiable consumer request. 487
729+ 2. A controller or a processor acting pursuant to its 488
730+contract with the controller may not be required to comply with 489
731+a consumer's request to delete the consumer's personal 490
732+information if it is reasonably necessary for the controller or 491
733+processor to maintain the consumer's personal information to do 492
734+any of the following: 493
735+ a. Complete the transaction for which the personal 494
736+information was collected. 495
737+ b. Fulfill the terms of a written warranty or product 496
738+recall conducted in accordance with federal law. 497
739+ c. Provide a good or service requested by the consumer, or 498
740+reasonably anticipate the request of such good or service within 499
741+the context of a controller's ongoing business relationship with 500
742742
743-CS/CS/HB 9, Engrossed 1 2022
743+CS/CS/HB 9 2022
744744
745745
746746
747747 CODING: Words stricken are deletions; words underlined are additions.
748-hb0009-03-e1
748+hb0009-02-c2
749749 Page 21 of 35
750750 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
751751
752752
753753
754-calendar days of receipt of the verifiable consumer request. 501
755- 2. A controller or a p rocessor acting pursuant to its 502
756-contract with the controller may not be required to comply with 503
757-a consumer's request to delete the consumer's personal 504
758-information if it is reasonably necessary for the controller or 505
759-processor to maintain the consumer's pers onal information to do 506
760-any of the following: 507
761- a. Complete the transaction for which the personal 508
762-information was collected. 509
763- b. Fulfill the terms of a written warranty or product 510
764-recall conducted in accordance with federal law. 511
765- c. Provide a good or ser vice requested by the consumer, or 512
766-reasonably anticipate the request of such good or service within 513
767-the context of a controller's ongoing business relationship with 514
768-the consumer, or otherwise perform a contract between the 515
769-controller and the consumer. 516
770- d. Detect security threats or incidents; protect against 517
771-malicious, deceptive, fraudulent, unauthorized, or illegal 518
772-activity or access; or prosecute those responsible for such 519
773-activity or access. 520
774- e. Debug to identify and repair errors that impair 521
775-existing intended functionality. 522
776- f. Engage in public or peer -reviewed scientific, 523
777-historical, or statistical research in the public interest that 524
778-adheres to all other applicable ethics and privacy laws when the 525
754+the consumer, or otherwise perform a contract between the 501
755+controller and the consumer. 502
756+ d. Detect security threats or incident s; protect against 503
757+malicious, deceptive, fraudulent, unauthorized, or illegal 504
758+activity or access; or prosecute those responsible for such 505
759+activity or access. 506
760+ e. Debug to identify and repair errors that impair 507
761+existing intended functionality. 508
762+ f. Engage in public or peer-reviewed scientific, 509
763+historical, or statistical research in the public interest that 510
764+adheres to all other applicable ethics and privacy laws when the 511
765+controller's deletion of the information is likely to render 512
766+impossible or seriously imp air the achievement of such research, 513
767+if the consumer has provided informed consent. 514
768+ g. Enable solely internal uses that are reasonably aligned 515
769+with the expectations of the consumer based on the consumer's 516
770+relationship with the controller or that are com patible with the 517
771+context in which the consumer provided the information. 518
772+ h. Comply with a legal obligation, including any state or 519
773+federal retention laws. 520
774+ i. As reasonably needed to protect the controller's 521
775+interests against existing disputes, legal ac tion, or 522
776+governmental investigations. 523
777+ j. Assure the physical security of persons or property. 524
779778
780-CS/CS/HB 9, Engrossed 1 2022
779+CS/CS/HB 9 2022
781780
782781
783782
784783 CODING: Words stricken are deletions; words underlined are additions.
785-hb0009-03-e1
784+hb0009-02-c2
786785 Page 22 of 35
787786 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
788787
789788
790789
791-controller's deletion of the information is likely t o render 526
792-impossible or seriously impair the achievement of such research, 527
793-if the consumer has provided informed consent. 528
794- g. Enable solely internal uses that are reasonably aligned 529
795-with the expectations of the consumer based on the consumer's 530
796-relationship with the controller or that are compatible with the 531
797-context in which the consumer provided the information. 532
798- h. Comply with a legal obligation, including any state or 533
799-federal retention laws. 534
800- i. As reasonably needed to protect the controller's 535
801-interests against existing disputes, legal action, or 536
802-governmental investigations. 537
803- j. Assure the physical security of persons or property. 538
804- (b) A consumer has the right to make a request to correct 539
805-inaccurate personal information to a controller that maintains 540
806-inaccurate personal information about the consumer. A controller 541
807-that receives a verifiable consumer request to correct 542
808-inaccurate personal information shall use commercially 543
809-reasonable efforts to correct the inaccurate personal 544
810-information as directed by t he consumer and direct any 545
811-processors to correct such information within 90 calendar days 546
812-after receipt of the verifiable consumer request. If a 547
813-controller maintains a self -service mechanism to allow a 548
814-consumer to correct certain personal information, the controller 549
815-may require the consumer to correct their own personal 550
790+ (b) A consumer has the right to make a request to correct 525
791+inaccurate personal information to a controller that maintains 526
792+inaccurate personal information about the consumer. A controller 527
793+that receives a verifiable consumer request to correct 528
794+inaccurate personal information shall use commercially 529
795+reasonable efforts to correct the inaccurate personal 530
796+information as directed by the consumer and direct any 531
797+processors to correct such information within 90 calendar days 532
798+after receipt of the verifiable consumer request. If a 533
799+controller maintains a self -service mechanism to allow a 534
800+consumer to correct certain personal information, the controller 535
801+may require the consumer to correct their own personal 536
802+information through such mechanism. A controller or a processor 537
803+acting pursuant to its contract with the controller may not be 538
804+required to comply with a consumer's request to correct the 539
805+consumer's personal information if it i s reasonably necessary 540
806+for the controller or processor to maintain the consumer's 541
807+personal information to do any of the following: 542
808+ 1. Complete the transaction for which the personal 543
809+information was collected. 544
810+ 2. Fulfill the terms of a written warranty or product 545
811+recall conducted in accordance with federal law. 546
812+ 3. Detect security threats or incidents; protect against 547
813+malicious, deceptive, fraudulent, unauthorized, or illegal 548
816814
817-CS/CS/HB 9, Engrossed 1 2022
815+CS/CS/HB 9 2022
818816
819817
820818
821819 CODING: Words stricken are deletions; words underlined are additions.
822-hb0009-03-e1
820+hb0009-02-c2
823821 Page 23 of 35
824822 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
825823
826824
827825
828-information through such mechanism. A controller or a processor 551
829-acting pursuant to its contract with the controller may not be 552
830-required to comply with a consumer's request to correct the 553
831-consumer's personal information if it is reasonably necessary 554
832-for the controller or processor to maintain the consumer's 555
833-personal information to do any of the following: 556
834- 1. Complete the transaction for which the personal 557
835-information was collected. 558
836- 2. Fulfill the terms of a written warranty or product 559
837-recall conducted in accordance with federal law. 560
838- 3. Detect security threats or incidents; protect against 561
839-malicious, deceptive, fraudulent, unauthorized, or illegal 562
840-activity or access; or prosecute those res ponsible for such 563
841-activity or access. 564
842- 4. Debug to identify and repair errors that impair 565
843-existing intended functionality. 566
844- 5. Enable solely internal uses that are reasonably aligned 567
845-with the expectations of the consumer based on the consumer's 568
846-relationship with the controller or that are compatible with the 569
847-context in which the consumer provided the information. 570
848- 6. Comply with a legal obligation, including any state or 571
849-federal retention laws. 572
850- 7. As reasonably needed to protect the controller's 573
851-interests against existing disputes, legal action, or 574
852-governmental investigations. 575
826+activity or access; or prosecute those responsible for such 549
827+activity or access. 550
828+ 4. Debug to identify and repair errors that impair 551
829+existing intended functionality. 552
830+ 5. Enable solely internal uses that are reasonably aligned 553
831+with the expectations of the consumer based on the consumer's 554
832+relationship with the controller or that are compatible with the 555
833+context in which the consumer provided the information. 556
834+ 6. Comply with a legal obligation, including any state or 557
835+federal retention laws. 558
836+ 7. As reasonably needed to protect the controller's 559
837+interests against existing disputes, legal action, or 560
838+governmental investigations. 561
839+ 8. Assure the physical security of persons or property. 562
840+ (6) RIGHT TO OPT-OUT OF THE SALE OR SHARING OF PERSONAL 563
841+INFORMATION.— 564
842+ (a) A consumer has the right at any time to direct a 565
843+controller not to sell or shar e the consumer's personal 566
844+information to a third party. This right may be referred to as 567
845+the right to opt-out. 568
846+ (b) Notwithstanding paragraph (a), a controller may not 569
847+sell or share the personal information of a minor consumer if 570
848+the controller has actual knowledge that the consumer is not 18 571
849+years of age or older. However, if a consumer who is between 13 572
850+and 18 years of age, or if the parent or guardian of a consumer 573
853851
854-CS/CS/HB 9, Engrossed 1 2022
852+CS/CS/HB 9 2022
855853
856854
857855
858856 CODING: Words stricken are deletions; words underlined are additions.
859-hb0009-03-e1
857+hb0009-02-c2
860858 Page 24 of 35
861859 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
862860
863861
864862
865- 8. Assure the physical security of persons or property. 576
866- (6) RIGHT TO OPT-OUT OF THE SALE OR SHARING OF PERSONAL 577
867-INFORMATION.— 578
868- (a) A consumer has the right at any time to direct a 579
869-controller not to sell or share the consumer's personal 580
870-information to a third party. This right may be referred to as 581
871-the right to opt-out. 582
872- (b) Notwithstanding paragraph (a), a controller may not 583
873-sell or share the personal information of a mino r consumer if 584
874-the controller has actual knowledge that the consumer is not 18 585
875-years of age or older. However, if a consumer who is between 13 586
876-and 18 years of age, or if the parent or guardian of a consumer 587
877-who is 12 years of age or younger, has affirmative ly authorized 588
878-the sale or sharing of such consumer's personal information, 589
879-then a controller may sell or share such information in 590
880-accordance with this section. A controller that willfully 591
881-disregards the consumer's age is deemed to have actual knowledge 592
882-of the consumer's age. A controller that complies with the 593
883-verifiable parental consent requirements of the Children's 594
884-Online Privacy Protection Act, 15 U.S.C. s. 6501 et seq., shall 595
885-be deemed compliant with any obligation to obtain parental 596
886-consent. 597
887- (c) A controller that has received direction from a 598
888-consumer opting-out of the sale or sharing of the consumer's 599
889-personal information is prohibited from selling or sharing the 600
863+who is 12 years of age or younger, has affirmatively authorized 574
864+the sale or sharing of su ch consumer's personal information, 575
865+then a controller may sell or share such information in 576
866+accordance with this section. A controller that willfully 577
867+disregards the consumer's age is deemed to have actual knowledge 578
868+of the consumer's age. A controller that complies with the 579
869+verifiable parental consent requirements of the Children's 580
870+Online Privacy Protection Act, 15 U.S.C. s. 6501 et seq., shall 581
871+be deemed compliant with any obligation to obtain parental 582
872+consent. 583
873+ (c) A controller that has received direction prohibiting 584
874+the sale or sharing of the consumer's personal information is 585
875+prohibited from selling or sharing the consumer's personal 586
876+information beginning 48 hours after receipt of such direction, 587
877+unless the consumer subsequently provides express authoriza tion 588
878+for the sale or sharing of the consumer's personal information. 589
879+ (7) FORM TO OPT-OUT OF SALE OR SHARING OF PERSONAL 590
880+INFORMATION.— 591
881+ (a) A controller shall: 592
882+ 1. In a form that is reasonably accessible to consumers, 593
883+provide a clear and conspicuous lin k on the controller's 594
884+Internet homepage, entitled "Do Not Sell or Share My Personal 595
885+Information," to an Internet webpage that enables a consumer, or 596
886+a person authorized by the consumer, to opt -out of the sale or 597
887+sharing of the consumer's personal informati on. A controller may 598
890888
891-CS/CS/HB 9, Engrossed 1 2022
889+CS/CS/HB 9 2022
892890
893891
894892
895893 CODING: Words stricken are deletions; words underlined are additions.
896-hb0009-03-e1
894+hb0009-02-c2
897895 Page 25 of 35
898896 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
899897
900898
901899
902-consumer's personal information beginning 4 calendar days after 601
903-receipt of such direct ion, unless the consumer subsequently 602
904-provides express authorization for the sale or sharing of the 603
905-consumer's personal information. 604
906- (7) FORM TO OPT-OUT OF SALE OR SHARING OF PERSONAL 605
907-INFORMATION.— 606
908- (a) A controller shall: 607
909- 1. In a form that is reasona bly accessible to consumers, 608
910-provide a clear and conspicuous link on the controller's 609
911-Internet homepage, entitled "Do Not Sell or Share My Personal 610
912-Information," to an Internet webpage that enables a consumer, or 611
913-a person authorized by the consumer, to op t-out of the sale or 612
914-sharing of the consumer's personal information. A controller may 613
915-not require a consumer to create an account in order to direct 614
916-the controller not to sell or share the consumer's personal 615
917-information. A controller may accept a request to opt-out 616
918-received through a user -enabled global privacy control, such as 617
919-a browser plug-in or privacy setting, device setting, or other 618
920-mechanism, which communicates or signals the consumer's choice 619
921-to opt out. 620
922- 2. For consumers who opted -out of the sale or sharing of 621
923-their personal information, respect the consumer's decision to 622
924-opt-out for at least 12 months before requesting that the 623
925-consumer authorize the sale or sharing of the consumer's 624
926-personal information. 625
900+not require a consumer to create an account in order to direct 599
901+the controller not to sell the consumer's personal information. 600
902+A controller may accept a request to opt -out received through a 601
903+user-enabled global privacy control, such as a browser plug-in 602
904+or privacy setting, device setting, or other mechanism, which 603
905+communicates or signals the consumer's choice to opt out. 604
906+ 2. For consumers who opted -out of the sale or sharing of 605
907+their personal information, respect the consumer's decisio n to 606
908+opt-out for at least 12 months before requesting that the 607
909+consumer authorize the sale or sharing of the consumer's 608
910+personal information. 609
911+ 3. Use any personal information collected from the 610
912+consumer in connection with the submission of the consumer's 611
913+opt-out request solely for the purposes of complying with the 612
914+opt-out request. 613
915+ (b) A consumer may authorize another person to opt -out of 614
916+the sale or sharing of the consumer's personal information on 615
917+the consumer's behalf pursuant to rules adopted by the 616
918+department. 617
919+ (8) ACTIONS RELATED TO CONSUMERS WHO EXERCISE PRIVACY 618
920+RIGHTS.— 619
921+ (a) A controller may charge a consumer who exercised any 620
922+of the consumer's rights under this section a different price or 621
923+rate, or provide a different level or quality of goods or 622
924+services to the consumer, only if that difference is reasonably 623
927925
928-CS/CS/HB 9, Engrossed 1 2022
926+CS/CS/HB 9 2022
929927
930928
931929
932930 CODING: Words stricken are deletions; words underlined are additions.
933-hb0009-03-e1
931+hb0009-02-c2
934932 Page 26 of 35
935933 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
936934
937935
938936
939- 3. Use any personal information collec ted from the 626
940-consumer in connection with the submission of the consumer's 627
941-opt-out request solely for the purposes of complying with the 628
942-opt-out request. 629
943- (b) A consumer may authorize another person to opt -out of 630
944-the sale or sharing of the consumer's perso nal information on 631
945-the consumer's behalf pursuant to rules adopted by the 632
946-department. 633
947- (8) ACTIONS RELATED TO CONSUMERS WHO EXERCISE PRIVACY 634
948-RIGHTS.— 635
949- (a) A controller may charge a consumer who exercised any 636
950-of the consumer's rights under this section a different price or 637
951-rate, or provide a different level or quality of goods or 638
952-services to the consumer, only if that difference is reasonably 639
953-related to the value provided to the controller by the 640
954-consumer's data or is related to a consumer's voluntary 641
955-participation in a financial incentive program, including a bona 642
956-fide loyalty, rewards, premium features, discounts, or club card 643
957-program offered by the controller. 644
958- (b) A controller may offer financial incentives, including 645
959-payments to consumers as compensat ion, for the collection, 646
960-sharing, sale, or deletion of personal information if the 647
961-consumer gives the controller prior consent that clearly 648
962-describes the material terms of the financial incentive program. 649
963-The consent may be revoked by the consumer at any t ime. 650
937+related to the value provided to the controller by the 624
938+consumer's data or is related to a consumer's voluntary 625
939+participation in a financial incentive program, including a bona 626
940+fide loyalty, rewards, premium features, discounts, or club card 627
941+program offered by the controller. 628
942+ (b) A controller may offer financial incentives, including 629
943+payments to consumers as compensation, for the collection, 630
944+sharing, sale, or deletion of personal information if the 631
945+consumer gives the controller prior consent that clearly 632
946+describes the material terms of the financial incentive program. 633
947+The consent may be revoked by the consumer at any time. 634
948+ (c) A controller may not use financial incentive practice s 635
949+that are unjust, unreasonable, coercive, or usurious in nature. 636
950+ (9) CONTRACTS AND ROLES. — 637
951+ (a) Any contract or agreement between a controller and a 638
952+processor must: 639
953+ 1. Prohibit the processor from selling, sharing, 640
954+retaining, using, or disclosing the personal information for any 641
955+purpose that violates this section; 642
956+ 2. Govern the processor's personal information processing 643
957+procedures with respect to processing performed on behalf of the 644
958+controller, including processing instructions, the nature and 645
959+purpose of processing, the type of information subject to 646
960+processing, the duration of processing, and the rights and 647
961+obligations of both the controller and processor; 648
964962
965-CS/CS/HB 9, Engrossed 1 2022
963+CS/CS/HB 9 2022
966964
967965
968966
969967 CODING: Words stricken are deletions; words underlined are additions.
970-hb0009-03-e1
968+hb0009-02-c2
971969 Page 27 of 35
972970 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
973971
974972
975973
976- (c) A controller may not use financial incentive practices 651
977-that are unjust, unreasonable, coercive, or usurious in nature. 652
978- (9) CONTRACTS AND ROLES. — 653
979- (a) Any contract or agreement between a controller and a 654
980-processor must: 655
981- 1. Prohibit the proce ssor from selling, sharing, 656
982-retaining, using, or disclosing the personal information for any 657
983-purpose that violates this section; 658
984- 2. Govern the processor's personal information processing 659
985-procedures with respect to processing performed on behalf of the 660
986-controller, including processing instructions, the nature and 661
987-purpose of processing, the type of information subject to 662
988-processing, the duration of processing, and the rights and 663
989-obligations of both the controller and processor; 664
990- 3. Require the processor to return or delete all personal 665
991-information under the contract to the controller as requested by 666
992-the controller at the end of the provision of services, unless 667
993-retention of the information is required by law; and 668
994- 4. Upon request of the controller, require the processor 669
995-to make available to the controller all personal information in 670
996-its possession under the contract or agreement. 671
997- (b) Determining whether a person is acting as a controller 672
998-or processor with respect to a specific processing of data is a 673
999-fact-based determination that depends upon the context in which 674
1000-personal information is to be processed. The contract between a 675
974+ 3. Require the processor to return or delete all personal 649
975+information under the contract to the controller as requested by 650
976+the controller at the end of the provision of services, unless 651
977+retention of the information is required by law; and 652
978+ 4. Upon request of the controller, require the processor 653
979+to make available to the controller all personal information in 654
980+its possession under the contract or agreement. 655
981+ (b) Determining whether a person is acting as a controller 656
982+or processor with respect to a specific processing of data is a 657
983+fact-based determination that depends upon the context in which 658
984+personal information is to be processed. The contract between a 659
985+controller and processor must reflect their respective roles and 660
986+relationships related to handling personal information. A 661
987+processor that continues to adhere to a controller's 662
988+instructions with re spect to a specific processing of personal 663
989+information remains a processor. 664
990+ (c) A third party may not sell or share personal 665
991+information about a consumer that has been sold or shared to the 666
992+third party by a controller unless the consumer has received 667
993+explicit notice from the third party and is provided an 668
994+opportunity to opt-out by the third party. 669
995+ (d) A processor or third party must require any 670
996+subcontractor to meet the same obligations of such processor or 671
997+third party with respect to personal informati on. 672
998+ (e) A processor or third party or any subcontractor 673
1001999
1002-CS/CS/HB 9, Engrossed 1 2022
1000+CS/CS/HB 9 2022
10031001
10041002
10051003
10061004 CODING: Words stricken are deletions; words underlined are additions.
1007-hb0009-03-e1
1005+hb0009-02-c2
10081006 Page 28 of 35
10091007 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
10101008
10111009
10121010
1013-controller and processor must reflect their respective roles and 676
1014-relationships related to handling personal information. A 677
1015-processor that continues to adhere to a controller's 678
1016-instructions with respect to a specific processing of personal 679
1017-information remains a processor. 680
1018- (c) A third party may not sell or share personal 681
1019-information about a consumer that has been sold or shared to the 682
1020-third party by a controller unless the consumer has received 683
1021-explicit notice from the third party and is provided an 684
1022-opportunity to opt-out by the third party. 685
1023- (d) A processor or third party must require any 686
1024-subcontractor to meet the same obligations of such processor or 687
1025-third party with respect to personal information. 688
1026- (e) A processor or third party or any subcontractor 689
1027-thereof who violates any of the restrictions imposed upon it 690
1028-under this section is liable or responsible for any failure to 691
1029-comply with this section. 692
1030- (f) Any provision of a contract or agreement of any kind 693
1031-that waives or limits in any way a consumer's rights under this 694
1032-section, including, but not limited to, any right to a remedy or 695
1033-means of enforcement, is deemed contrary to public p olicy and is 696
1034-void and unenforceable. This section does not prevent a consumer 697
1035-from declining to exercise the consumer's rights under this 698
1036-section. 699
1037- (10) CIVIL ACTIONS; PRIVATE RIGHT OF ACTION. — 700
1011+thereof who violates any of the restrictions imposed upon it 674
1012+under this section is liable or responsible for any failure to 675
1013+comply with this section. 676
1014+ (f) Any provision of a contract or agreement of any kind 677
1015+that waives or limits in any way a consumer's rights under this 678
1016+section, including, but not limited to, any right to a remedy or 679
1017+means of enforcement, is deemed contrary to public policy and is 680
1018+void and unenforceable. This section does not prev ent a consumer 681
1019+from declining to request information from a controller, 682
1020+declining to opt-out of a controller's sale or sharing of the 683
1021+consumer's personal information, or authorizing a controller to 684
1022+sell or share the consumer's personal information after 685
1023+previously opting out. 686
1024+ (10) CIVIL ACTIONS; PRIVATE RIGHT OF ACTION. — 687
1025+ (a) A Florida consumer may only bring a civil action 688
1026+pursuant to this section against: 689
1027+ 1. A controller, processor, or third party who has global 690
1028+annual gross revenues of at least $50 million, but not more than 691
1029+$500 million, as adjusted in January of every odd -numbered year 692
1030+to reflect any increase in the Consumer Price Index. Upon 693
1031+prevailing, the Florida consumer may be awarded relief described 694
1032+in paragraph (c), but may not be awarded a ttorney fees or costs. 695
1033+Any private claim solely based on this section against a 696
1034+controller, processor, or third party who has global annual 697
1035+gross revenues of less than $50 million, is barred. 698
10381036
1039-CS/CS/HB 9, Engrossed 1 2022
1037+CS/CS/HB 9 2022
10401038
10411039
10421040
10431041 CODING: Words stricken are deletions; words underlined are additions.
1044-hb0009-03-e1
1042+hb0009-02-c2
10451043 Page 29 of 35
10461044 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
10471045
10481046
10491047
1050- (a) A Florida consumer may only bring a civil action 701
1051-pursuant to this section against: 702
1052- 1. A controller, processor, or third party who has global 703
1053-annual gross revenues of at least $50 million, but not more than 704
1054-$500 million, as adjusted in January of every odd -numbered year 705
1055-to reflect any increase in the Consumer Price Index. Upon 706
1056-prevailing, the Florida consumer may be awarded relief described 707
1057-in paragraph (c), but may not be awarded attorney fees or costs. 708
1058-Any private claim solely based on this section against a 709
1059-controller, processor, or third party who has glob al annual 710
1060-gross revenues of less than $50 million, is barred. 711
1061- 2. A controller, processor, or third party who has global 712
1062-annual gross revenues of more than $500 million, as adjusted in 713
1063-January of every odd -numbered year to reflect any increase in 714
1064-the Consumer Price Index. Upon prevailing, the Florida consumer 715
1065-may be awarded relief described in paragraph (c), and shall 716
1066-recover reasonable attorney fees and costs. 717
1067- (b) A Florida consumer may only bring a civil action 718
1068-pursuant to this section against a controller, processor, or 719
1069-third party who meets a threshold in paragraph (a) for the 720
1070-following actions: 721
1071- 1. Failure to delete or correct the consumer's personal 722
1072-information pursuant to this section after receiving a 723
1073-verifiable consumer request or directio ns to delete or correct 724
1074-from a controller unless the controller, processor, or third 725
1048+ 2. A controller, processor, or third party who has global 699
1049+annual gross revenues of more than $500 million, as adjusted in 700
1050+January of every odd -numbered year to reflect any increase in 701
1051+the Consumer Price Index. Upon prevailing, the Florida consumer 702
1052+may be awarded relief described in paragraph (c), and shall 703
1053+recover reasonable attorney fees and costs. 704
1054+ (b) A Florida consumer may only bring a civil action 705
1055+pursuant to this section against a controller, processor, or 706
1056+third party who meets a threshold in paragraph (a) for the 707
1057+following actions: 708
1058+ 1. Failure to delete or co rrect the consumer's personal 709
1059+information pursuant to this section after receiving a 710
1060+verifiable consumer request or directions to delete or correct 711
1061+from a controller unless the controller, processor, or third 712
1062+party qualifies for an exception to the require ments to delete 713
1063+or correct under this section. 714
1064+ 2. Continuing to sell or share the consumer's personal 715
1065+information after the consumer chooses to opt -out pursuant to 716
1066+this section. 717
1067+ 3. Selling or sharing the personal information of the 718
1068+consumer age 18 or y ounger without obtaining consent as required 719
1069+by this section. 720
1070+ (c) A court may grant the following relief to a Florida 721
1071+consumer: 722
1072+ 1. Statutory damages in an amount not less than $100 and 723
10751073
1076-CS/CS/HB 9, Engrossed 1 2022
1074+CS/CS/HB 9 2022
10771075
10781076
10791077
10801078 CODING: Words stricken are deletions; words underlined are additions.
1081-hb0009-03-e1
1079+hb0009-02-c2
10821080 Page 30 of 35
10831081 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
10841082
10851083
10861084
1087-party qualifies for an exception to the requirements to delete 726
1088-or correct under this section. 727
1089- 2. Continuing to sell or share the consumer's personal 728
1090-information after th e consumer chooses to opt -out pursuant to 729
1091-this section. 730
1092- 3. Selling or sharing the personal information of the 731
1093-consumer age 18 or younger without obtaining consent as required 732
1094-by this section. 733
1095- (c) A court may grant the following relief to a Florida 734
1096-consumer: 735
1097- 1. Statutory damages in an amount not less than $100 and 736
1098-not greater than $750 per consumer per incident or actual 737
1099-damages, whichever is greater. 738
1100- 2. Injunctive or declaratory relief. 739
1101- (d) Upon prevailing, a controller, processor, or third 740
1102-party may only be awarded attorney fees if the court finds that 741
1103-there was a complete absence of a justiciable issue of either 742
1104-law or fact raised by the consumer or if the court finds bad 743
1105-faith on the part of the consumer, including if the consumer is 744
1106-not a Florida consumer. 745
1107- (e) A consumer must commence a civil action for a claim 746
1108-under this section within 1 year after discovery of the 747
1109-violation. 748
1110- (f) Any action under this subsection may only be brought 749
1111-by or on behalf of a Florida consumer. 750
1085+not greater than $750 per consumer per incident or actual 724
1086+damages, whichever is greater. 725
1087+ 2. Injunctive or declaratory relief. 726
1088+ (d) A controller, processor, or third party may only be 727
1089+awarded attorney fees if: 728
1090+ 1. The case was dismissed with prejudice. 729
1091+ 2. There was fraud on the part of the consumer. 730
1092+ 3. The consumer is not a Florida consumer. 731
1093+ (e) A consumer must commence a civil action for a claim 732
1094+under this section within 1 year after discovery of the 733
1095+violation. 734
1096+ (f) Any action under this subsection may only be brought 735
1097+by or on behalf of a Florida consumer. 736
1098+ (g) Liability for a tort, contract claim, or consumer 737
1099+protection claim which is unrelated to an action brought under 738
1100+this subsection or subsection (11) does not arise solely from 739
1101+the failure of a controller, processor, or third party to comply 740
1102+with this section and evidence of such may only be used as the 741
1103+basis to prove a cause of action under this subsection. 742
1104+ (h) In assessing the amount of statutory damages, the 743
1105+court shall consider any one or more of the relevant 744
1106+circumstances presented by any of the parti es to the case, 745
1107+including, but not limited to, the nature and seriousness of the 746
1108+misconduct, the number of violations, the length of time over 747
1109+which the misconduct occurred, and the defendant's assets, 748
11121110
1113-CS/CS/HB 9, Engrossed 1 2022
1111+CS/CS/HB 9 2022
11141112
11151113
11161114
11171115 CODING: Words stricken are deletions; words underlined are additions.
1118-hb0009-03-e1
1116+hb0009-02-c2
11191117 Page 31 of 35
11201118 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
11211119
11221120
11231121
1124- (g) Liability for a tort, contract claim, or consumer 751
1125-protection claim which is unrelated to an action brought under 752
1126-this subsection or subsection (11) does not arise solely from 753
1127-the failure of a controller, processor, or third party to comply 754
1128-with this section and evidence of such may only be used as the 755
1129-basis to prove a cause of action under this subsection. 756
1130- (h) In assessing the amount of statutory damages, the 757
1131-court shall consider any one or more of the relevant 758
1132-circumstances presented by any of the parties to the case, 759
1133-including, but not limited to, the nature and seriousness of the 760
1134-misconduct, the number of violations, the length of time over 761
1135-which the misconduct occurred, and the defendant's assets, 762
1136-liability, and net worth. 763
1137- (11) ENFORCEMENT AND IMPLEMENTATION BY TH E DEPARTMENT.— 764
1138- (a) Any violation of this section is an unfair and 765
1139-deceptive trade practice actionable under part II of chapter 501 766
1140-solely by the department against a controller, processor, or 767
1141-person. If the department has reason to believe that any 768
1142-controller, processor, or third party is in violation of this 769
1143-section, the department, as the enforcement authority, may bring 770
1144-an action against such controller, processor, or third party for 771
1145-an unfair or deceptive act or practice. For the purpose of 772
1146-bringing an action pursuant to this section, ss. 501.211 and 773
1147-501.212 do not apply. Civil penalties may be tripled if the 774
1148-violation: 775
1122+liability, and net worth. 749
1123+ (11) ENFORCEMENT AND IMPLE MENTATION BY THE DEPARTMENT. — 750
1124+ (a) Any violation of this section is an unfair and 751
1125+deceptive trade practice actionable under part II of chapter 501 752
1126+solely by the department against a controller, processor, or 753
1127+person. If the department has reason to believe that any 754
1128+controller, processor, or third party is in violation of this 755
1129+section, the department, as the enforcement authority, may bring 756
1130+an action against such controller, processor, or third party for 757
1131+an unfair or deceptive act or practice. For the purpos e of 758
1132+bringing an action pursuant to this section, ss. 501.211 and 759
1133+501.212 do not apply. Civil penalties may be tripled if the 760
1134+violation: 761
1135+ 1. Involves a Florida consumer who the controller, 762
1136+processor, or third party has actual knowledge is 18 years of 763
1137+age or younger; or 764
1138+ 2. Is based on paragraph (10)(b). 765
1139+ (b) After the department has notified a controller, 766
1140+processor, or third party in writing of an alleged violation, 767
1141+the department may in its discretion grant a 45 -day period to 768
1142+cure the alleged violation. The 45-day cure period does not 769
1143+apply to a violation of subparagraph (10)(b)1. The department 770
1144+may consider the number and frequency of violations, the 771
1145+substantial likelihood of injury to the public, and the safety 772
1146+of persons or property when determining w hether to grant 45 773
11491147
1150-CS/CS/HB 9, Engrossed 1 2022
1148+CS/CS/HB 9 2022
11511149
11521150
11531151
11541152 CODING: Words stricken are deletions; words underlined are additions.
1155-hb0009-03-e1
1153+hb0009-02-c2
11561154 Page 32 of 35
11571155 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
11581156
11591157
11601158
1161- 1. Involves a Florida consumer who the controller, 776
1162-processor, or third party has actual knowledge is 18 years of 777
1163-age or younger; or 778
1164- 2. Is based on paragraph (10)(b). 779
1165- (b) After the department has notified a controller, 780
1166-processor, or third party in writing of an alleged violation, 781
1167-the department may in its discretion grant a 45 -day period to 782
1168-cure the alleged violation. The 45 -day cure period does not 783
1169-apply to a violation of subparagraph (10)(b)1. The department 784
1170-may consider the number and frequency of violations, the 785
1171-substantial likelihood of injury to the public, and the safety 786
1172-of persons or property when determining whether to grant 45 787
1173-calendar days to cure and the issuance of a letter of guidance. 788
1174-If the violation is cured to the satisfaction of the department 789
1175-and proof of such cure is provided to the department, the 790
1176-department in its discretion may issue a letter of guidance. If 791
1177-the controller, processor, or third party fails to cure the 792
1178-violation within 45 calendar days, the department may bring an 793
1179-action against the controller, processor, or third party for the 794
1180-alleged violation. 795
1181- (c) Any action brought by the department may only be 796
1182-brought on behalf of a Florida consumer. 797
1183- (d) By February 1 of each year, the department shall 798
1184-submit a report to the President of the Senate and the Speaker 799
1185-of the House of Representatives describing any actions taken by 800
1159+calendar days to cure and the issuance of a letter of guidance. 774
1160+If the violation is cured to the satisfaction of the department 775
1161+and proof of such cure is provided to the department, the 776
1162+department in its discretion may issue a letter of guidance. If 777
1163+the controller, processor, or third party fails to cure the 778
1164+violation within 45 calendar days, the department may bring an 779
1165+action against the controller, processor, or third party for the 780
1166+alleged violation. 781
1167+ (c) Any action brought by the depa rtment may only be 782
1168+brought on behalf of a Florida consumer. 783
1169+ (d) By February 1 of each year, the department shall 784
1170+submit a report to the President of the Senate and the Speaker 785
1171+of the House of Representatives describing any actions taken by 786
1172+the department to enforce this section. The report shall include 787
1173+statistics and relevant information detailing: 788
1174+ 1. The number of complaints received; 789
1175+ 2. The number and type of enforcement actions taken and 790
1176+the outcomes of such actions; 791
1177+ 3. The number of complaints resolved without the need for 792
1178+litigation; and 793
1179+ 4. The status of the development and implementation of 794
1180+rules to implement this section. 795
1181+ (e) The department may adopt rules to implement this 796
1182+section, including standards for verifiable consumer requests, 797
1183+enforcement, data security, and authorized persons who may act 798
11861184
1187-CS/CS/HB 9, Engrossed 1 2022
1185+CS/CS/HB 9 2022
11881186
11891187
11901188
11911189 CODING: Words stricken are deletions; words underlined are additions.
1192-hb0009-03-e1
1190+hb0009-02-c2
11931191 Page 33 of 35
11941192 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
11951193
11961194
11971195
1198-the department to enforce thi s section. The report shall include 801
1199-statistics and relevant information detailing: 802
1200- 1. The number of complaints received; 803
1201- 2. The number and type of enforcement actions taken and 804
1202-the outcomes of such actions; 805
1203- 3. The number of complaints resolved withou t the need for 806
1204-litigation; and 807
1205- 4. The status of the development and implementation of 808
1206-rules to implement this section. 809
1207- (e) The department may adopt rules to implement this 810
1208-section, including standards for verifiable consumer requests, 811
1209-enforcement, data security, and authorized persons who may act 812
1210-on a consumer's behalf. 813
1211- (12) JURISDICTION.—For purposes of bringing an action in 814
1212-accordance with subsections (10) and (11), any person who meets 815
1213-the definition of controller as defined in this section that 816
1214-collects, shares, or sells the personal information of Florida 817
1215-consumers, is considered to be both engaged in substantial and 818
1216-not isolated activities within this state and operating, 819
1217-conducting, engaging in, or carrying on a business, and doing 820
1218-business in this state, and is therefore subject to the 821
1219-jurisdiction of the courts of this state. 822
1220- (13) PREEMPTION.—This section is a matter of statewide 823
1221-concern and supersedes all rules, regulations, codes, 824
1222-ordinances, and other laws adopted by a city, county, city a nd 825
1196+on a consumer's behalf. 799
1197+ (12) JURISDICTION.—For purposes of bringing an action in 800
1198+accordance with subsections (10) and (11), any person who meets 801
1199+the definition of controller as defined in this section that 802
1200+collects, shares, or sells the personal information of Florida 803
1201+consumers, is considered to be both engaged in substantial and 804
1202+not isolated activities within this state and operating, 805
1203+conducting, engaging in, or carrying on a business, and doin g 806
1204+business in this state, and is therefore subject to the 807
1205+jurisdiction of the courts of this state. 808
1206+ (13) PREEMPTION.—This section is a matter of statewide 809
1207+concern and supersedes all rules, regulations, codes, 810
1208+ordinances, and other laws adopted by a city, county, city and 811
1209+county, municipality, or local agency regarding the collection, 812
1210+processing, sharing, or sale of consumer personal information by 813
1211+a controller or processor. The regulation of the collection, 814
1212+processing, sharing, or sale of consumer persona l information by 815
1213+a controller or processor is preempted to the state. 816
1214+ Section 2. Paragraph (g) of subsection (1) of section 817
1215+501.171, Florida Statutes, is amended to read: 818
1216+ 501.171 Security of confidential personal information. — 819
1217+ (1) DEFINITIONS.—As used in this section, the term: 820
1218+ (g)1. "Personal information" means either of the 821
1219+following: 822
1220+ a. An individual's first name or first initial and last 823
12231221
1224-CS/CS/HB 9, Engrossed 1 2022
1222+CS/CS/HB 9 2022
12251223
12261224
12271225
12281226 CODING: Words stricken are deletions; words underlined are additions.
1229-hb0009-03-e1
1227+hb0009-02-c2
12301228 Page 34 of 35
12311229 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
12321230
12331231
12341232
1235-county, municipality, or local agency regarding the collection, 826
1236-processing, sharing, or sale of consumer personal information by 827
1237-a controller or processor. The regulation of the collection, 828
1238-processing, sharing, or sale of consumer personal information b y 829
1239-a controller or processor is preempted to the state. 830
1240- Section 2. Paragraph (g) of subsection (1) of section 831
1241-501.171, Florida Statutes, is amended to read: 832
1242- 501.171 Security of confidential personal information. — 833
1243- (1) DEFINITIONS.—As used in this section, the term: 834
1244- (g)1. "Personal information" means either of the 835
1245-following: 836
1246- a. An individual's first name or first initial and last 837
1247-name in combination with any one or more of the following data 838
1248-elements for that individual: 839
1249- (I) A social security number; 840
1250- (II) A driver license or identification card number, 841
1251-passport number, military identification number, or other 842
1252-similar number issued on a government document used to verify 843
1253-identity; 844
1254- (III) A financial account number or credit or debit card 845
1255-number, in combination with any required security code, access 846
1256-code, or password that is necessary to permit access to an 847
1257-individual's financial account; 848
1258- (IV) Any information regarding an individual's medical 849
1259-history, mental or physical condition, or medical treatment or 850
1233+name in combination with any one or more of the following data 824
1234+elements for that individual: 825
1235+ (I) A social security number; 826
1236+ (II) A driver license or identification card number, 827
1237+passport number, military identification number, or other 828
1238+similar number issued on a government document used to verify 829
1239+identity; 830
1240+ (III) A financial account number or credit or deb it card 831
1241+number, in combination with any required security code, access 832
1242+code, or password that is necessary to permit access to an 833
1243+individual's financial account; 834
1244+ (IV) Any information regarding an individual's medical 835
1245+history, mental or physical condition , or medical treatment or 836
1246+diagnosis by a health care professional; or 837
1247+ (V) An individual's health insurance policy number or 838
1248+subscriber identification number and any unique identifier used 839
1249+by a health insurer to identify the individual. 840
1250+ (VI) An individual's biometric information or genetic 841
1251+information as defined in s. 501.173(2). 842
1252+ b. A user name or e -mail address, in combination with a 843
1253+password or security question and answer that would permit 844
1254+access to an online account. 845
1255+ 2. The term does not include information about an 846
1256+individual that has been made publicly available by a federal, 847
1257+state, or local governmental entity. The term also does not 848
12601258
1261-CS/CS/HB 9, Engrossed 1 2022
1259+CS/CS/HB 9 2022
12621260
12631261
12641262
12651263 CODING: Words stricken are deletions; words underlined are additions.
1266-hb0009-03-e1
1264+hb0009-02-c2
12671265 Page 35 of 35
12681266 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
12691267
12701268
12711269
1272-diagnosis by a health care professional; or 851
1273- (V) An individual's health insurance policy number or 852
1274-subscriber identification number and any unique identifier used 853
1275-by a health insurer to identify the individual. 854
1276- (VI) An individual's biometr ic information or genetic 855
1277-information as defined in s. 501.173(2). 856
1278- b. A user name or e -mail address, in combination with a 857
1279-password or security question and answer that would permit 858
1280-access to an online account. 859
1281- 2. The term does not include information about an 860
1282-individual that has been made publicly available by a federal, 861
1283-state, or local governmental entity. The term also does not 862
1284-include information that is encrypted, secured, or modified by 863
1285-any other method or technology that removes elements that 864
1286-personally identify an individual or that otherwise renders the 865
1287-information unusable. 866
1288- Section 3. This act shall take effect January 1, 2023. 867
1270+include information that is encrypted, secured, or modified by 849
1271+any other method or technology that removes eleme nts that 850
1272+personally identify an individual or that otherwise renders the 851
1273+information unusable. 852
1274+ Section 3. This act shall take effect January 1, 2023. 853