CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 1 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to consumer data privacy; creating s. 2
501.173, F.S.; providing applicability; providing 3
definitions; requiring controllers that collect a 4
consumer's personal data to disclose certain 5
information regarding data collection and selling 6
practices to the consumer at or before the point of 7
collection; specifying that such information may be 8
provided through a general privacy policy or through a 9
notice informing the consumer that additional specific 10
information will be provided upon a certain reque st; 11
prohibiting controllers from collecting additional 12
categories of personal information or using personal 13
information for additional purposes without notifying 14
the consumer; requiring controllers that collect 15
personal information to implement reasonable security 16
procedures and practices to protect the information; 17
authorizing consumers to request controllers to 18
disclose the specific personal information the 19
controller has collected about the consumer; requiring 20
controllers to make available two or more me thods for 21
consumers to request their personal information; 22
requiring controllers to provide such information free 23
of charge within a certain timeframe and in a certain 24
format upon receiving a verifiable consumer request; 25
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 2 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
specifying requirements for third p arties with respect 26
to consumer information acquired or used; providing 27
construction; authorizing consumers to request 28
controllers to delete or correct personal information 29
the controllers have collected about the consumers; 30
providing exceptions; specifyin g requirements for 31
controllers to comply with deletion or correction 32
requests; authorizing consumers to opt out of third -33
party disclosure of personal information collected by 34
a controller; prohibiting controllers from selling or 35
disclosing the personal inf ormation of consumers 36
younger than a certain age, except under certain 37
circumstances; prohibiting controllers from selling or 38
sharing a consumer's information if the consumer has 39
opted out of such disclosure; prohibiting controllers 40
from taking certain act ions to retaliate against 41
consumers who exercise certain rights; providing 42
applicability; providing that a contract or agreement 43
that waives or limits certain consumer rights is void 44
and unenforceable; providing for civil actions and a 45
private right of act ion for consumers under certain 46
circumstances; providing civil remedies; authorizing 47
the Department of Legal Affairs to bring an action 48
under the Florida Unfair or Deceptive Trade Practices 49
Act and to adopt rules; requiring the department to 50
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 3 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
submit an annual report to the Legislature; providing 51
report requirements; providing that controllers must 52
have a specified timeframe to cure any violations; 53
providing jurisdiction; declaring that the act is 54
matter of statewide concern; preempting the 55
collection, processing, sharing, and sale of consumer 56
personal information to the state; amending s. 57
501.171, F.S.; revising the definition of "personal 58
information"; providing an effective date. 59
60
Be It Enacted by the Legislature of the State of Florida: 61
62
Section 1. Section 501.173, Florida Statutes, is created 63
to read: 64
501.173 Consumer data privacy. — 65
(1) APPLICABILITY.—This section applies to any entity that 66
meets the definition of controller, processor, or third party, 67
and that buys, sells, or shares personal i nformation of Florida 68
consumers. This section does not apply to entities that do not 69
buy, sell, or share personal information of Florida consumers 70
and such entities do not have to comply with this section. This 71
section also does not apply to: 72
(a) Personal information collected and transmitted that is 73
necessary for the sole purpose of sharing such personal 74
information with a financial service provider solely to 75
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 4 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
facilitate short term, transactional payment processing for the 76
purchase of products or services . 77
(b) Personal information collected, used, retained, sold, 78
shared, or disclosed as deidentified personal information or 79
aggregate consumer information. 80
(c) Compliance with federal, state, or local laws. 81
(d) Compliance with a civil, criminal, or regu latory 82
inquiry, investigation, subpoena, or summons by federal, state, 83
or local authorities. 84
(e) Cooperation with law enforcement agencies concerning 85
conduct or activity that the controller, processor, or third 86
party reasonably and in good faith believes may violate federal, 87
state, or local law. 88
(f) Exercising or defending legal claims. 89
(g) Personal information collected through the 90
controller's direct interactions with the consumer, if collected 91
in accordance with the provisions of this section, that is used 92
by the controller or the processor that the controller directly 93
contracts with for advertising or marketing services to 94
advertise or market products or services that are produced or 95
offered directly by the controller. Such information may not be 96
sold, shared, or disclosed unless otherwise authorized under 97
this section. 98
(h) Personal information of a person acting in the role of 99
a job applicant, employee, owner, director, officer, contractor, 100
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 5 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
volunteer, or intern of a controller, that is collected by a 101
controller, to the extent the personal information is collected 102
and used solely within the context of the person's role or 103
former role with the controller. 104
(i) Protected health information for purposes of the 105
federal Health Insurance Portability and Accountability Act of 106
1996 and related regulations, and patient identifying 107
information for purposes of 42 C.F.R. part 2, established 108
pursuant to 42 U.S.C. s. 290dd -2. 109
(j) A covered entity or business associate governed by the 110
privacy, security, and breach notification rules issued by the 111
United States Department of Health and Human Services in 45 112
C.F.R. parts 160 and 164, or a program or a qualified service 113
program as defined in 42 C.F.R. part 2, to the extent the 114
covered entity, business associate, or program maintains 115
personal information in the same manner as medical information 116
or protected health information as described in paragraph (i), 117
and as long as the covered entity, business associate, or 118
program does not use personal information for targe ted 119
advertising with third parties and does not sell or share 120
personal information to a third party unless such sale or 121
sharing is covered by an exception under this section. 122
(k) Identifiable private information collected for 123
purposes of research as defi ned in 45 C.F.R. s. 164.501 124
conducted in accordance with the Federal Policy for the 125
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 6 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Protection of Human Subjects for purposes of 45 C.F.R. part 46, 126
the good clinical practice guidelines issued by the 127
International Council for Harmonisation of Technical 128
Requirements for Pharmaceuticals for Human Use, or the 129
Protection for Human Subjects for purposes of 21 C.F.R. parts 50 130
and 56, or personal information that is used or shared in 131
research conducted in accordance with one or more of these 132
standards. 133
(l) Information and documents created for purposes of the 134
federal Health Care Quality Improvement Act of 1986 and related 135
regulations, or patient safety work product for purposes of 42 136
C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b -21 137
through 299b-26. 138
(m) Information that is deidentified in accordance with 45 139
C.F.R. part 164 and derived from individually identifiable 140
health information as described in the Health Insurance 141
Portability and Accountability Act of 1996, or identifiable 142
personal information, c onsistent with the Federal Policy for the 143
Protection of Human Subjects or the human subject protection 144
requirements of the United States Food and Drug Administration. 145
(n) Information used only for public health activities and 146
purposes as described in 45 C.F.R. s. 164.512. 147
(o) Personal information collected, processed, sold, or 148
disclosed pursuant to the federal Fair Credit Reporting Act, 15 149
U.S.C. s. 1681 and implementing regulations. 150
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 7 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(p) Nonpublic personal information collected, processed, 151
sold, or disclosed pursuant to the Gramm -Leach-Bliley Act, 15 152
U.S.C. s. 6801 et seq., and implementing regulations. 153
(q) A financial institution as defined in the Gramm -Leach-154
Bliley Act, 15 U.S.C. s. 6801 et seq., to the extent the 155
financial institution maintains pe rsonal information in the same 156
manner as nonpublic personal information as described in 157
paragraph (p), and as long as such financial institution does 158
not use personal information for targeted advertising with third 159
parties and does not sell or share person al information to a 160
third party unless such sale or sharing is covered by an 161
exception under this section. 162
(r) Personal information collected, processed, sold, or 163
disclosed pursuant to the federal Driver's Privacy Protection 164
Act of 1994, 18 U.S.C. s. 272 1 et seq. 165
(s) Education information covered by the Family 166
Educational Rights and Privacy Act, 20 U.S.C. s. 1232(g) and 34 167
C.F.R. part 99. 168
(t) Information collected as part of public or peer -169
reviewed scientific or statistical research in the public 170
interest and that adheres to all other applicable ethics and 171
privacy laws, if the consumer has provided informed consent. 172
Research with personal information must be subjected by the 173
controller conducting the research to additional security 174
controls that limit access to the research data to only those 175
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 8 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
individuals necessary to carry out the research purpose and 176
subsequently deidentified. 177
(u) Personal information disclosed for the purpose of 178
responding to an alert of a present risk of harm to a person or 179
property or prosecuting those responsible for that activity. 180
(v) Personal information that is disclosed when a consumer 181
uses or directs a controller to intentionally disclose 182
information to a third party or uses the controller to 183
intentionally interact with a t hird party. An intentional 184
interaction occurs when the consumer intends to interact with 185
the third party, by one or more deliberate interactions. 186
Hovering over, muting, pausing, or closing a given piece of 187
content does not constitute a consumer's intent to interact with 188
a third party. 189
(w) An identifier used for a consumer who has opted out of 190
the sale or sharing of the consumer's personal information for 191
the sole purpose of alerting processors and third parties that 192
the consumer has opted out of the sale or sharing of the 193
consumer's personal information. 194
(x) Personal information transferred by a controller to a 195
third party as an asset that is part of a merger, acquisition, 196
bankruptcy, or other transaction in which the third party 197
assumes control of all o r part of the controller, provided that 198
information is used or shared consistently with this section. If 199
a third party materially alters how it uses or shares the 200
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 9 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
personal information of a consumer in a manner that is 201
materially inconsistent with the commi tments or promises made at 202
the time of collection, it shall provide prior notice of the new 203
or changed practice to the consumer. The notice must be 204
sufficiently prominent and robust to ensure that consumers can 205
easily exercise choices consistent with this section. 206
(y) Personal information necessary to fulfill the terms of 207
a written warranty when such warranty was purchased by the 208
consumer or the product that is warranted was purchased by the 209
consumer. Such information may not be sold or shared unless 210
otherwise authorized under this section. 211
(z) Personal information necessary for a product recall 212
for a product purchased or owned by the consumer conducted in 213
accordance with federal law. Such information may not be sold or 214
shared unless otherwise authorized under this section. 215
(aa) Personal information processed solely for the purpose 216
of independently measuring or reporting advertising or content 217
performance, reach, or frequency pursuant to a contract with a 218
controller that collected personal information i n accordance 219
with this section. Such information may not be sold or shared 220
unless otherwise authorized under this section. 221
(2) DEFINITIONS.—As used in this section, the term: 222
(a) "Aggregate consumer information" means information 223
that relates to a grou p or category of consumers, from which the 224
identity of an individual consumer has been removed and is not 225
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 10 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
reasonably capable of being directly or indirectly associated or 226
linked with, any consumer, household, or device. The term does 227
not include personal i nformation that has been deidentified. 228
(b) "Biometric information" means an individual's 229
physiological, biological, or behavioral characteristics that 230
can be used, singly or in combination with each other or with 231
other identifying data, to establish indi vidual identity. The 232
term includes, but is not limited to, imagery of the iris, 233
retina, fingerprint, face, hand, palm, vein patterns, and voice 234
recordings, from which an identifier template, such as a 235
faceprint, a minutiae template, or a voiceprint, can be 236
extracted, and keystroke patterns or rhythms, gait patterns or 237
rhythms, and sleep, health, or exercise data that contain 238
identifying information. 239
(c) "Collect" means to buy, rent, gather, obtain, receive, 240
or access any personal information pertaining to a consumer by 241
any means. The term includes, but is not limited to, actively or 242
passively receiving information from the consumer or by 243
observing the consumer's behavior or actions. 244
(d) "Consumer" means a natural person who resides in or is 245
domiciled in this state, however identified, including by any 246
unique identifier, who is acting in a personal capacity or 247
household context. The term does not include a natural person 248
acting on behalf of a legal entity in a commercial or employment 249
context. 250
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 11 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(e) "Controller" means: 251
1. A sole proprietorship, partnership, limited liability 252
company, corporation, association, or legal entity that meets 253
the following requirements: 254
a. Is organized or operated for the profit or financial 255
benefit of its shareholders or owne rs; 256
b. Does business in this state; 257
c. Collects personal information about consumers, or is 258
the entity on behalf of which such information is collected; 259
d. Determines the purposes and means of processing 260
personal information about consumers alone or jointly with 261
others; and 262
e. Satisfies at least two of the following thresholds: 263
(I) Has global annual gross revenues in excess of $50 264
million, as adjusted in January of every odd -numbered year to 265
reflect any increase in the Consumer Price Index. 266
(II) Annually buys, sells, or shares the personal 267
information of 50,000 or more consumers, households, and devices 268
for the purpose of targeted advertising in conjunction with 269
third parties. The 50,000 total only includes personal 270
information that is bought, so ld, or shared within the previous 271
12 months. 272
(III) Derives 50 percent or more of its global annual 273
revenues from selling or sharing personal information about 274
consumers. 275
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 12 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
2. Any entity that controls or is controlled by a 276
controller. As used in this subp aragraph, the term "control" 277
means: 278
a. Ownership of, or the power to vote, more than 50 279
percent of the outstanding shares of any class of voting 280
security of a controller; 281
b. Control in any manner over the election of a majority 282
of the directors, or of individuals exercising similar 283
functions; or 284
c. The power to exercise a controlling influence over the 285
management of a company. 286
(f) "Deidentified" means information that cannot 287
reasonably be used to infer information about or otherwise be 288
linked to a particular consumer, provided that the controller 289
that possesses the information: 290
1. Takes reasonable measures to ensure that the 291
information cannot be associated with a specific consumer; 292
2. Maintains and uses the information in deidentified form 293
and not to attempt to reidentify the information, except that 294
the controller may attempt to reidentify the information solely 295
for the purpose of determining whether its deidentification 296
processes satisfy the requirements of this paragraph; and 297
3. Contractually obligates any recipients of the 298
information to comply with all the provisions of this paragraph 299
to avoid reidentifying such information. 300
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 13 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(g) "Department" means the Department of Legal Affairs. 301
(h) "Device" means a physical object associated with a 302
consumer or household capable of directly or indirectly 303
connecting to the Internet. 304
(i) "Genetic information" means an individual's 305
deoxyribonucleic acid (DNA). 306
(j) "Homepage" means the introductory page of an Internet 307
website and any Internet webpage wh ere personal information is 308
collected. In the case of a mobile application, the homepage is 309
the application's platform page or download page, a link within 310
the application, such as the "About" or "Information" 311
application configurations, or settings page, and any other 312
location that allows consumers to review the notice required by 313
subsection (7), including, but not limited to, before 314
downloading the application. 315
(k) "Household" means a natural person or a group of 316
people in this state who reside at the s ame address, share a 317
common device or the same service provided by a controller, and 318
are identified by a controller as sharing the same group account 319
or unique identifier. 320
(l) "Personal information" means information that is 321
linked or reasonably linkable to an identified or identifiable 322
consumer or household, including biometric information, genetic 323
information, and unique identifiers to the consumer. The term 324
does not include consumer information that is: 325
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 14 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1. Consumer employment contact information, inc luding a 326
position name or title, employment qualifications, emergency 327
contact information, business telephone number, business 328
electronic mail address, employee benefit information, and 329
similar information used solely in an employment context. 330
2. Deidentified or aggregate consumer information. 331
3. Publicly and lawfully available information reasonably 332
believed to be made available to the general public: 333
a. From federal, state, or local government records. 334
b. By a widely distributed media source. 335
c. By the consumer or by someone to whom the consumer 336
disclosed the information unless the consumer has purposely and 337
effectively restricted the information to a certain audience on 338
a private account. 339
(m) "Processing" means any operation or set of operatio ns 340
that are performed on personal information or on sets of 341
personal information, whether or not by automated means. 342
(n) "Processor" means a sole proprietorship, partnership, 343
limited liability company, corporation, association, or other 344
legal entity that is organized or operated for the profit or 345
financial benefit of its shareholders or other owners, that 346
processes information on behalf of a controller and to which the 347
controller discloses a consumer's personal information pursuant 348
to a written contract, provided that the contract prohibits the 349
entity receiving the information from retaining, using, or 350
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 15 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
disclosing the personal information for any purpose other than 351
for the specific purpose of performing the services specified in 352
the contract for the control ler, as permitted by this section. 353
(o) "Sell" means to sell, rent, release, disclose, 354
disseminate, make available, transfer, or otherwise communicate 355
orally, in writing, or by electronic or other means, a 356
consumer's personal information by a controller t o another 357
controller or a third party for monetary or other valuable 358
consideration. 359
(p) "Share" means to share, rent, release, disclose, 360
disseminate, make available, transfer, or access a consumer's 361
personal information for advertising or marketing. The term 362
includes: 363
1. Allowing a third party to advertise or market to a 364
consumer based on a consumer's personal information without 365
disclosure of the personal information to the third party. 366
2. Monetary transactions, nonmonetary transactions, and 367
transactions for other valuable consideration between a 368
controller and a third party for advertising or marketing. 369
(q) "Targeted advertising" means marketing to a consumer 370
or displaying an advertisement to a consumer when the 371
advertisement is selected ba sed on personal information used to 372
predict such consumer's preferences or interests. 373
(r) "Third party" means a person who is not the controller 374
or the processor. 375
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 16 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(s) "Verifiable consumer request" means a request related 376
to personal information that is made by a consumer, by a parent 377
or guardian on behalf of a consumer who is a minor child, or by 378
a person authorized by the consumer to act on the consumer's 379
behalf, in a form that is reasonably and readily accessible to 380
consumers and that the controller c an reasonably verify to be 381
the consumer, pursuant to rules adopted by the department. 382
(3) CONSUMER DATA COLLECTION REQUIREMENTS AND 383
RESPONSIBILITIES.— 384
(a) A controller that collects personal information about 385
consumers shall maintain an up -to-date online privacy policy and 386
make such policy available from its homepage. The online privacy 387
policy must include the following information: 388
1. Any Florida-specific consumer privacy rights. 389
2. A list of the types and categories of personal 390
information the controller collects, sells, or shares, or has 391
collected, sold, or shared, about consumers. 392
3. The consumer's right to request deletion or correction 393
of certain personal information. 394
4. The consumer's right to opt -out of the sale or sharing 395
to third parties. 396
(b) A controller that collects personal information from 397
the consumer shall, at or before the point of collection, 398
inform, or direct the processor to inform, consumers of the 399
categories of personal information to be collected and the 400
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 17 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
purposes for which the categories of personal information will 401
be used. 402
(c) A controller may not collect additional categories of 403
personal information or use personal information collected for 404
additional purposes without providing the consumer with notice 405
consistent with this section. 406
(d) A controller that collects a consumer's personal 407
information shall implement and maintain reasonable security 408
procedures and practices appropriate to the nature of the 409
personal information to protect the personal information from 410
unauthorized or illegal access, destruction, use, modification, 411
or disclosure. 412
(e) A controller shall adopt and implement a retention 413
schedule that prohibits the use or retention of personal 414
information not subject to an exemption by the controller or 415
processor after the satisfaction of the initial purpose for 416
which such information was collected or obtained, after the 417
expiration or termination of the contract pursuant to which the 418
information was collected or obtained, or 3 years after the 419
consumer's last interaction with the controller. This paragraph 420
does not apply to personal information reasonably used or 421
retained to do any of the following: 422
1. Fulfill the terms of a written warranty or product 423
recall conducted in accordance with federal law. 424
2. Provide a good or service requested by the consumer, or 425
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 18 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
reasonably anticipate the request of such good or service within 426
the context of a controller's ongoing business relationship with 427
the consumer. 428
3. Detect security threats or incidents; protect again st 429
malicious, deceptive, fraudulent, unauthorized, or illegal 430
activity or access; or prosecute those responsible for such 431
activity or access. 432
4. Debug to identify and repair errors that impair 433
existing intended functionality. 434
5. Engage in public or pee r-reviewed scientific, 435
historical, or statistical research in the public interest that 436
adheres to all other applicable ethics and privacy laws when the 437
controller's deletion of the information is likely to render 438
impossible or seriously impair the achievem ent of such research, 439
if the consumer has provided informed consent. 440
6. Enable solely internal uses that are reasonably aligned 441
with the expectations of the consumer based on the consumer's 442
relationship with the controller or that are compatible with the 443
context in which the consumer provided the information. 444
7. Comply with a legal obligation, including any state or 445
federal retention laws. 446
8. As reasonably needed to protect the controller's 447
interests against existing disputes, legal action, or 448
governmental investigations. 449
9. Assure the physical security of persons or property. 450
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 19 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(4) CONSUMER RIGHT TO REQUEST COPY OF PERSONAL DATA 451
COLLECTED, SOLD, OR SHARED. — 452
(a) A consumer has the right to request that a controller 453
that collects, sells, or shares p ersonal information about the 454
consumer to disclose the following to the consumer: 455
1. The specific pieces of personal information that have 456
been collected about the consumer. 457
2. The categories of sources from which the consumer's 458
personal information wa s collected. 459
3. The specific pieces of personal information about the 460
consumer that were sold or shared. 461
4. The third parties to which the personal information 462
about the consumer was sold or shared. 463
5. The categories of personal information about the 464
consumer that were disclosed to a processor. 465
(b) A controller that collects, sells, or shares personal 466
information about a consumer shall disclose the information 467
specified in paragraph (a) to the consumer upon receipt of a 468
verifiable consumer request. 469
(c) This subsection does not require a controller to 470
retain, reidentify, or otherwise link any data that, in the 471
ordinary course of business is not maintained in a manner that 472
would be considered personal information. 473
(d) The controller shall deliver t he information required 474
or act on the request in this subsection to a consumer free of 475
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 20 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
charge within 45 calendar days after receiving a verifiable 476
consumer request. The response period may be extended once by 45 477
additional calendar days when reasonably nec essary, provided the 478
controller informs the consumer of any such extension within the 479
initial 45-day response period and the reason for the extension. 480
The information must be delivered in a readily usable format. A 481
controller is not obligated to provide in formation to the 482
consumer if the consumer or a person authorized to act on the 483
consumer's behalf does not provide verification of identity or 484
verification of authorization to act with the permission of the 485
consumer. 486
(e) A controller may provide personal information to a 487
consumer at any time, but is not required to provide personal 488
information to a consumer more than twice in a 12 -month period. 489
(f) This subsection does not apply to personal information 490
relating solely to households. 491
(5) RIGHT TO HAVE P ERSONAL INFORMATION DELETED OR 492
CORRECTED.— 493
(a) A consumer has the right to request that a controller 494
delete any personal information about the consumer which the 495
controller has collected. 496
1. A controller that receives a verifiable consumer 497
request to delete the consumer's personal information shall 498
delete the consumer's personal information from its records and 499
direct any processors to delete such information within 90 500
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 21 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
calendar days of receipt of the verifiable consumer request. 501
2. A controller or a p rocessor acting pursuant to its 502
contract with the controller may not be required to comply with 503
a consumer's request to delete the consumer's personal 504
information if it is reasonably necessary for the controller or 505
processor to maintain the consumer's pers onal information to do 506
any of the following: 507
a. Complete the transaction for which the personal 508
information was collected. 509
b. Fulfill the terms of a written warranty or product 510
recall conducted in accordance with federal law. 511
c. Provide a good or ser vice requested by the consumer, or 512
reasonably anticipate the request of such good or service within 513
the context of a controller's ongoing business relationship with 514
the consumer, or otherwise perform a contract between the 515
controller and the consumer. 516
d. Detect security threats or incidents; protect against 517
malicious, deceptive, fraudulent, unauthorized, or illegal 518
activity or access; or prosecute those responsible for such 519
activity or access. 520
e. Debug to identify and repair errors that impair 521
existing intended functionality. 522
f. Engage in public or peer -reviewed scientific, 523
historical, or statistical research in the public interest that 524
adheres to all other applicable ethics and privacy laws when the 525
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 22 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
controller's deletion of the information is likely t o render 526
impossible or seriously impair the achievement of such research, 527
if the consumer has provided informed consent. 528
g. Enable solely internal uses that are reasonably aligned 529
with the expectations of the consumer based on the consumer's 530
relationship with the controller or that are compatible with the 531
context in which the consumer provided the information. 532
h. Comply with a legal obligation, including any state or 533
federal retention laws. 534
i. As reasonably needed to protect the controller's 535
interests against existing disputes, legal action, or 536
governmental investigations. 537
j. Assure the physical security of persons or property. 538
(b) A consumer has the right to make a request to correct 539
inaccurate personal information to a controller that maintains 540
inaccurate personal information about the consumer. A controller 541
that receives a verifiable consumer request to correct 542
inaccurate personal information shall use commercially 543
reasonable efforts to correct the inaccurate personal 544
information as directed by t he consumer and direct any 545
processors to correct such information within 90 calendar days 546
after receipt of the verifiable consumer request. If a 547
controller maintains a self -service mechanism to allow a 548
consumer to correct certain personal information, the controller 549
may require the consumer to correct their own personal 550
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 23 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
information through such mechanism. A controller or a processor 551
acting pursuant to its contract with the controller may not be 552
required to comply with a consumer's request to correct the 553
consumer's personal information if it is reasonably necessary 554
for the controller or processor to maintain the consumer's 555
personal information to do any of the following: 556
1. Complete the transaction for which the personal 557
information was collected. 558
2. Fulfill the terms of a written warranty or product 559
recall conducted in accordance with federal law. 560
3. Detect security threats or incidents; protect against 561
malicious, deceptive, fraudulent, unauthorized, or illegal 562
activity or access; or prosecute those res ponsible for such 563
activity or access. 564
4. Debug to identify and repair errors that impair 565
existing intended functionality. 566
5. Enable solely internal uses that are reasonably aligned 567
with the expectations of the consumer based on the consumer's 568
relationship with the controller or that are compatible with the 569
context in which the consumer provided the information. 570
6. Comply with a legal obligation, including any state or 571
federal retention laws. 572
7. As reasonably needed to protect the controller's 573
interests against existing disputes, legal action, or 574
governmental investigations. 575
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 24 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
8. Assure the physical security of persons or property. 576
(6) RIGHT TO OPT-OUT OF THE SALE OR SHARING OF PERSONAL 577
INFORMATION.— 578
(a) A consumer has the right at any time to direct a 579
controller not to sell or share the consumer's personal 580
information to a third party. This right may be referred to as 581
the right to opt-out. 582
(b) Notwithstanding paragraph (a), a controller may not 583
sell or share the personal information of a mino r consumer if 584
the controller has actual knowledge that the consumer is not 18 585
years of age or older. However, if a consumer who is between 13 586
and 18 years of age, or if the parent or guardian of a consumer 587
who is 12 years of age or younger, has affirmative ly authorized 588
the sale or sharing of such consumer's personal information, 589
then a controller may sell or share such information in 590
accordance with this section. A controller that willfully 591
disregards the consumer's age is deemed to have actual knowledge 592
of the consumer's age. A controller that complies with the 593
verifiable parental consent requirements of the Children's 594
Online Privacy Protection Act, 15 U.S.C. s. 6501 et seq., shall 595
be deemed compliant with any obligation to obtain parental 596
consent. 597
(c) A controller that has received direction from a 598
consumer opting-out of the sale or sharing of the consumer's 599
personal information is prohibited from selling or sharing the 600
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 25 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
consumer's personal information beginning 4 calendar days after 601
receipt of such direct ion, unless the consumer subsequently 602
provides express authorization for the sale or sharing of the 603
consumer's personal information. 604
(7) FORM TO OPT-OUT OF SALE OR SHARING OF PERSONAL 605
INFORMATION.— 606
(a) A controller shall: 607
1. In a form that is reasona bly accessible to consumers, 608
provide a clear and conspicuous link on the controller's 609
Internet homepage, entitled "Do Not Sell or Share My Personal 610
Information," to an Internet webpage that enables a consumer, or 611
a person authorized by the consumer, to op t-out of the sale or 612
sharing of the consumer's personal information. A controller may 613
not require a consumer to create an account in order to direct 614
the controller not to sell or share the consumer's personal 615
information. A controller may accept a request to opt-out 616
received through a user -enabled global privacy control, such as 617
a browser plug-in or privacy setting, device setting, or other 618
mechanism, which communicates or signals the consumer's choice 619
to opt out. 620
2. For consumers who opted -out of the sale or sharing of 621
their personal information, respect the consumer's decision to 622
opt-out for at least 12 months before requesting that the 623
consumer authorize the sale or sharing of the consumer's 624
personal information. 625
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 26 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
3. Use any personal information collec ted from the 626
consumer in connection with the submission of the consumer's 627
opt-out request solely for the purposes of complying with the 628
opt-out request. 629
(b) A consumer may authorize another person to opt -out of 630
the sale or sharing of the consumer's perso nal information on 631
the consumer's behalf pursuant to rules adopted by the 632
department. 633
(8) ACTIONS RELATED TO CONSUMERS WHO EXERCISE PRIVACY 634
RIGHTS.— 635
(a) A controller may charge a consumer who exercised any 636
of the consumer's rights under this section a different price or 637
rate, or provide a different level or quality of goods or 638
services to the consumer, only if that difference is reasonably 639
related to the value provided to the controller by the 640
consumer's data or is related to a consumer's voluntary 641
participation in a financial incentive program, including a bona 642
fide loyalty, rewards, premium features, discounts, or club card 643
program offered by the controller. 644
(b) A controller may offer financial incentives, including 645
payments to consumers as compensat ion, for the collection, 646
sharing, sale, or deletion of personal information if the 647
consumer gives the controller prior consent that clearly 648
describes the material terms of the financial incentive program. 649
The consent may be revoked by the consumer at any t ime. 650
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 27 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(c) A controller may not use financial incentive practices 651
that are unjust, unreasonable, coercive, or usurious in nature. 652
(9) CONTRACTS AND ROLES. — 653
(a) Any contract or agreement between a controller and a 654
processor must: 655
1. Prohibit the proce ssor from selling, sharing, 656
retaining, using, or disclosing the personal information for any 657
purpose that violates this section; 658
2. Govern the processor's personal information processing 659
procedures with respect to processing performed on behalf of the 660
controller, including processing instructions, the nature and 661
purpose of processing, the type of information subject to 662
processing, the duration of processing, and the rights and 663
obligations of both the controller and processor; 664
3. Require the processor to return or delete all personal 665
information under the contract to the controller as requested by 666
the controller at the end of the provision of services, unless 667
retention of the information is required by law; and 668
4. Upon request of the controller, require the processor 669
to make available to the controller all personal information in 670
its possession under the contract or agreement. 671
(b) Determining whether a person is acting as a controller 672
or processor with respect to a specific processing of data is a 673
fact-based determination that depends upon the context in which 674
personal information is to be processed. The contract between a 675
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 28 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
controller and processor must reflect their respective roles and 676
relationships related to handling personal information. A 677
processor that continues to adhere to a controller's 678
instructions with respect to a specific processing of personal 679
information remains a processor. 680
(c) A third party may not sell or share personal 681
information about a consumer that has been sold or shared to the 682
third party by a controller unless the consumer has received 683
explicit notice from the third party and is provided an 684
opportunity to opt-out by the third party. 685
(d) A processor or third party must require any 686
subcontractor to meet the same obligations of such processor or 687
third party with respect to personal information. 688
(e) A processor or third party or any subcontractor 689
thereof who violates any of the restrictions imposed upon it 690
under this section is liable or responsible for any failure to 691
comply with this section. 692
(f) Any provision of a contract or agreement of any kind 693
that waives or limits in any way a consumer's rights under this 694
section, including, but not limited to, any right to a remedy or 695
means of enforcement, is deemed contrary to public p olicy and is 696
void and unenforceable. This section does not prevent a consumer 697
from declining to exercise the consumer's rights under this 698
section. 699
(10) CIVIL ACTIONS; PRIVATE RIGHT OF ACTION. — 700
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 29 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(a) A Florida consumer may only bring a civil action 701
pursuant to this section against: 702
1. A controller, processor, or third party who has global 703
annual gross revenues of at least $50 million, but not more than 704
$500 million, as adjusted in January of every odd -numbered year 705
to reflect any increase in the Consumer Price Index. Upon 706
prevailing, the Florida consumer may be awarded relief described 707
in paragraph (c), but may not be awarded attorney fees or costs. 708
Any private claim solely based on this section against a 709
controller, processor, or third party who has glob al annual 710
gross revenues of less than $50 million, is barred. 711
2. A controller, processor, or third party who has global 712
annual gross revenues of more than $500 million, as adjusted in 713
January of every odd -numbered year to reflect any increase in 714
the Consumer Price Index. Upon prevailing, the Florida consumer 715
may be awarded relief described in paragraph (c), and shall 716
recover reasonable attorney fees and costs. 717
(b) A Florida consumer may only bring a civil action 718
pursuant to this section against a controller, processor, or 719
third party who meets a threshold in paragraph (a) for the 720
following actions: 721
1. Failure to delete or correct the consumer's personal 722
information pursuant to this section after receiving a 723
verifiable consumer request or directio ns to delete or correct 724
from a controller unless the controller, processor, or third 725
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 30 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
party qualifies for an exception to the requirements to delete 726
or correct under this section. 727
2. Continuing to sell or share the consumer's personal 728
information after th e consumer chooses to opt -out pursuant to 729
this section. 730
3. Selling or sharing the personal information of the 731
consumer age 18 or younger without obtaining consent as required 732
by this section. 733
(c) A court may grant the following relief to a Florida 734
consumer: 735
1. Statutory damages in an amount not less than $100 and 736
not greater than $750 per consumer per incident or actual 737
damages, whichever is greater. 738
2. Injunctive or declaratory relief. 739
(d) Upon prevailing, a controller, processor, or third 740
party may only be awarded attorney fees if the court finds that 741
there was a complete absence of a justiciable issue of either 742
law or fact raised by the consumer or if the court finds bad 743
faith on the part of the consumer, including if the consumer is 744
not a Florida consumer. 745
(e) A consumer must commence a civil action for a claim 746
under this section within 1 year after discovery of the 747
violation. 748
(f) Any action under this subsection may only be brought 749
by or on behalf of a Florida consumer. 750
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 31 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(g) Liability for a tort, contract claim, or consumer 751
protection claim which is unrelated to an action brought under 752
this subsection or subsection (11) does not arise solely from 753
the failure of a controller, processor, or third party to comply 754
with this section and evidence of such may only be used as the 755
basis to prove a cause of action under this subsection. 756
(h) In assessing the amount of statutory damages, the 757
court shall consider any one or more of the relevant 758
circumstances presented by any of the parties to the case, 759
including, but not limited to, the nature and seriousness of the 760
misconduct, the number of violations, the length of time over 761
which the misconduct occurred, and the defendant's assets, 762
liability, and net worth. 763
(11) ENFORCEMENT AND IMPLEMENTATION BY TH E DEPARTMENT.— 764
(a) Any violation of this section is an unfair and 765
deceptive trade practice actionable under part II of chapter 501 766
solely by the department against a controller, processor, or 767
person. If the department has reason to believe that any 768
controller, processor, or third party is in violation of this 769
section, the department, as the enforcement authority, may bring 770
an action against such controller, processor, or third party for 771
an unfair or deceptive act or practice. For the purpose of 772
bringing an action pursuant to this section, ss. 501.211 and 773
501.212 do not apply. Civil penalties may be tripled if the 774
violation: 775
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 32 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1. Involves a Florida consumer who the controller, 776
processor, or third party has actual knowledge is 18 years of 777
age or younger; or 778
2. Is based on paragraph (10)(b). 779
(b) After the department has notified a controller, 780
processor, or third party in writing of an alleged violation, 781
the department may in its discretion grant a 45 -day period to 782
cure the alleged violation. The 45 -day cure period does not 783
apply to a violation of subparagraph (10)(b)1. The department 784
may consider the number and frequency of violations, the 785
substantial likelihood of injury to the public, and the safety 786
of persons or property when determining whether to grant 45 787
calendar days to cure and the issuance of a letter of guidance. 788
If the violation is cured to the satisfaction of the department 789
and proof of such cure is provided to the department, the 790
department in its discretion may issue a letter of guidance. If 791
the controller, processor, or third party fails to cure the 792
violation within 45 calendar days, the department may bring an 793
action against the controller, processor, or third party for the 794
alleged violation. 795
(c) Any action brought by the department may only be 796
brought on behalf of a Florida consumer. 797
(d) By February 1 of each year, the department shall 798
submit a report to the President of the Senate and the Speaker 799
of the House of Representatives describing any actions taken by 800
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 33 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
the department to enforce thi s section. The report shall include 801
statistics and relevant information detailing: 802
1. The number of complaints received; 803
2. The number and type of enforcement actions taken and 804
the outcomes of such actions; 805
3. The number of complaints resolved withou t the need for 806
litigation; and 807
4. The status of the development and implementation of 808
rules to implement this section. 809
(e) The department may adopt rules to implement this 810
section, including standards for verifiable consumer requests, 811
enforcement, data security, and authorized persons who may act 812
on a consumer's behalf. 813
(12) JURISDICTION.—For purposes of bringing an action in 814
accordance with subsections (10) and (11), any person who meets 815
the definition of controller as defined in this section that 816
collects, shares, or sells the personal information of Florida 817
consumers, is considered to be both engaged in substantial and 818
not isolated activities within this state and operating, 819
conducting, engaging in, or carrying on a business, and doing 820
business in this state, and is therefore subject to the 821
jurisdiction of the courts of this state. 822
(13) PREEMPTION.—This section is a matter of statewide 823
concern and supersedes all rules, regulations, codes, 824
ordinances, and other laws adopted by a city, county, city a nd 825
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 34 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
county, municipality, or local agency regarding the collection, 826
processing, sharing, or sale of consumer personal information by 827
a controller or processor. The regulation of the collection, 828
processing, sharing, or sale of consumer personal information b y 829
a controller or processor is preempted to the state. 830
Section 2. Paragraph (g) of subsection (1) of section 831
501.171, Florida Statutes, is amended to read: 832
501.171 Security of confidential personal information. — 833
(1) DEFINITIONS.—As used in this section, the term: 834
(g)1. "Personal information" means either of the 835
following: 836
a. An individual's first name or first initial and last 837
name in combination with any one or more of the following data 838
elements for that individual: 839
(I) A social security number; 840
(II) A driver license or identification card number, 841
passport number, military identification number, or other 842
similar number issued on a government document used to verify 843
identity; 844
(III) A financial account number or credit or debit card 845
number, in combination with any required security code, access 846
code, or password that is necessary to permit access to an 847
individual's financial account; 848
(IV) Any information regarding an individual's medical 849
history, mental or physical condition, or medical treatment or 850
CS/CS/HB 9, Engrossed 1 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-03-e1
Page 35 of 35
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
diagnosis by a health care professional; or 851
(V) An individual's health insurance policy number or 852
subscriber identification number and any unique identifier used 853
by a health insurer to identify the individual. 854
(VI) An individual's biometr ic information or genetic 855
information as defined in s. 501.173(2). 856
b. A user name or e -mail address, in combination with a 857
password or security question and answer that would permit 858
access to an online account. 859
2. The term does not include information about an 860
individual that has been made publicly available by a federal, 861
state, or local governmental entity. The term also does not 862
include information that is encrypted, secured, or modified by 863
any other method or technology that removes elements that 864
personally identify an individual or that otherwise renders the 865
information unusable. 866
Section 3. This act shall take effect January 1, 2023. 867