The Florida Senate
BILL ANALYSIS AND FISCAL IMPACT STATEMENT
(This document is based on the provisions contained in the legislation as of the latest date listed below.)
Prepared By: The Professional Staff of the Committee on Commerce and Tourism
BILL: CS/SB 262
INTRODUCER: Commerce and Tourism Committee and Senator Bradley
SUBJECT: Technology Transparency
DATE: April 5, 2023
ANALYST STAFF DIRECTOR REFERENCE ACTION
1. McMillan McKay CM Fav/CS
2. JU
3. RC
Please see Section IX. for Additional Information:
COMMITTEE SUBSTITUTE - Substantial Changes
I. Summary:
CS/SB 262 prohibits employees of a governmental entity from using their position or any state
resources to communicate with a social media platform to request that it remove content or
accounts. Additionally, a government entity cannot initiate or maintain any agreements with a
social media platform for the purpose of content moderation. The bill provides certain
exceptions.
The bill creates a unified scheme to allow Florida’s consumers to control the digital flow of their
personal information. Specifically, it gives consumers the right to:
Access their personal information;
Delete or correct that personal information; and
Opt out of the sale or sharing of their personal information.
The Act generally applies to businesses that collect Florida consumers’ personal information,
make in excess of $1 billion in gross revenues, and meet one of the following thresholds:
Derives 50 percent or more if its global annual revenues from providing targeted advertising
or the sale of ads online; or
Operated a consumer smart speaker and voice command component service with an
integrated virtual assistant connected to a cloud computing service that uses hands-free
verbal activation.
REVISED: BILL: CS/SB 262 Page 2
The bill prohibits the collection of a consumer’s precise geolocation data or personal information
through the operation of a voice recognition feature, unless the consumer provides authorization.
The bill requires a search engine to provide a consumer with information on how the search
engine algorithm prioritizes or deprioritizes political partisanship or political ideology in its
search results.
The Florida Department of Legal Affairs has authority to enforce the bill.
The bill also adds “biometric data,” “genetic information,” and “geolocation data” to the
definition of “personal information” under the Florida Information Protection Act. As such,
entities that possess fingerprints, DNA, and other biological or physiological identifying
information must take reasonable measures to protect that data and report data breaches.
The bill takes effect on July 1, 2023.
II. Present Situation:
Internet and Social Media Platforms
There are many ways in which individuals access computer systems and interact with systems
and other individuals on the Internet. Examples include:
Social media sites, which are websites and applications, that allow users to communicate
informally with others, find people, and share similar interests;
1
Internet platforms, which are servers used by an Internet provider to support Internet access
by their customers;
2
Internet search engines, which are computer software used to search data (such as text or a
database) for specified information;
3
and
Access software providers, which are providers of software (including client or server
software) or enabling tools for content processing.
4
Such platforms earn revenue through various modes and models. Examples include:
Data monetization.
5
This uses data that is gathered and stored on the millions of users that
spend time on free content sites, including specific user location, browsing habits, buying
behavior, and unique interests. This data can be used to help e-commerce companies tailor
1
DelValle Institute Learning Center, Social Media Platforms, available at
https://delvalle.bphc.org/mod/wiki/view.php?pageid=65 (last visited April 5, 2023).
2
IGI Global, Internet Platform, available at https://www.igi-global.com/dictionary/internet-platform/15441 (last visited
April 5, 2023).
3
Merriam Webster, Search Engine, available at https://www.merriam-webster.com/dictionary/search%20engine (last visited
April 5, 2023).
4
47 U.S.C. § 230(f)(4) defining “access software provider to mean a provider of software (including client or server
software), or enabling tools that do any one or more of the following: (i) filter, screen, allow, or disallow content; (ii) pick,
choose, analyze, or digest content; or (iii) transmit, receive, display, forward, cache, search, subset, organize, reorganize, or
translate content.
5
The Alexander von Humboldt Institute for Internet and Society, How do digital platforms make their money?, July 29,
2019, available at https://www.hiig.de/en/how-do-digital-platforms-make-their-money/ (last visited April 5, 2023). BILL: CS/SB 262 Page 3
their marketing campaigns to a specific set of online consumers. Platforms that use this
model are typically free for users to use.
6
Subscription or membership fees. This model requires users pay for a particular or unlimited
use of the platform infrastructure.
7
Transaction fees. This model allows platforms to benefit from every transaction that is
enabled between two or more actors. An example is AirBnB, where users transacting on the
site are charged a fee.
8
Freedom of Speech and Internet Platforms
Section 230
The federal Communications Decency Act (CDA) was passed in 1996 “to protect children from
sexually explicit Internet content.”
9
47 U.S. Code § 230 (Section 230) was added as an
amendment to the CDA to maintain the robust nature of Internet communication and,
accordingly, to keep government interference in the medium to a minimum.”
10
Congress stated in Section 230 that “[i]t is the policy of the United States—(1) to promote the
continued development of the Internet and other interactive computer services and other
interactive media; [and] (2) to preserve the vibrant and competitive free market that presently
exists for the Internet and other interactive computer services, unfettered by Federal or State
regulation.”
11
Specifically, Section 230 states that no provider or user of an interactive computer service may
be held liable on account of:
12
Any action voluntarily taken in good faith to restrict access to or availability of material that
the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent,
harassing, or otherwise objectionable, whether or not such material is constitutionally
protected; or
Any action taken to enable or make available to information content providers or others the
technical means to restrict access to material from any person or entity that is responsible for
the creation or development of information provided through any interactive computer
service.
6
Investopedia, How Do Internet Companies Profit with Free Services?, available at
https://www.investopedia.com/ask/answers/040215/how-do-internet-companies-profit-if-they-give-away-their-services-
free.asp#:~:text=Profit%20Through%20Advertising,content%20is%20through%20advertising%20revenue.&text=Each%20o
f%20these%20users%20represents,and%20services%20via%20the%20Internet (last visited April 5, 2023).
7
HIIS, supra note 5.
8
Id.
9
Force v. Facebook, Inc., 934 F.3d 53, 63 (2d Cir. 2019) (citing FTC v. LeadClick Media, LLC, 838 F.3d 158, 173 (2d Cir.
2016) (citing 141 Cong. Rec. S1953 (daily ed. Feb. 1, 1995) (statement of Sen. Exon))).
10
Force, 934 F.3d at 63 (quoting Ricci v. Teamsters Union Local 456, 781 F.3d 25, 28 (2d Cir. 2015) (quoting Zeran v. Am.
Online, Inc., 129 F.3d 327, 330 (4th Cir. 1997)).
11
47 U.S.C. § 230(b)(1)–(2).
12
47 U.S.C. § 230(c). BILL: CS/SB 262 Page 4
Section 230 “assuaged Congressional concern regarding the outcome of two inconsistent judicial
decisions,
13
both of which “appl[ied] traditional defamation law to internet providers.”
14
The first
decision held that an interactive computer service provider could not be liable for a third party's
defamatory statement ... but the second imposed liability where a service provider filtered
content in an effort to block obscene material.”
15
To provide clarity, Section 230 provides that
“[n]o provider ... of an interactive computer service shall be treated as the publisher or speaker of
any information provided by another information content provider.
16
In light of Congress's
objectives, the Circuits are in general agreement that the text of Section 230(c)(1) should be
construed broadly in favor of immunity.
17
Section 230 specifically addresses how the federal law affects other laws. Section 230 prohibits
all inconsistent causes of action and prohibits liability imposed under any State or local law.
18
Section 230 does not affect federal criminal law, intellectual property law, the Electronic
Communications Privacy Act of 1986, or sex trafficking law.
There have been criticisms of the broad immunity provisions or liability shields which force
individuals unhappy with third-party content to sue the user who posted it. While this immunity
has fostered the free flow of ideas on the Internet, critics have argued that Section 230 shields
publishers from liability for allowing harmful content.
19
Congressional and executive proposals
to limit immunity for claims relating to platforms purposefully hosting content from those
engaging in child exploitation, terrorism, and cyber-stalking have been introduced.
20
Bills have
been filed that would require internet platforms to have clear content moderation policies, submit
detailed transparency reports, and remove immunity for platforms that engage in certain
behavioral advertising practices.
21
Proposals have also been offered to limit the liability shield
for internet providers who restrict speech based on political viewpoints.
22
Recently, the Supreme Court heard oral arguments in Gonzalez v. Google LLC, to determine
whether online platforms should be held accountable when their algorithms prioritize or
recommend certain content to its users.
23
The plaintiff in the case argues that Google aided and
abetted international terrorism because its computer algorithms suggest certain content to its
13
Cubby, Inc. v. CompuServe, Inc., 776 F. Supp. 135 (S.D.N.Y. 1991) and Stratton Oakmont, Inc. v. Prodigy Servs. Co., No.
31063/94, 1995 WL 323710 (N.Y. Sup. Ct. May 24, 1995).
14
Force, 934 F.3d at 63 (quoting LeadClick, 838 F.3d at 173).
15
Force, 934 F.3d at 63 (quoting LeadClick, 838 F.3d at 173 (citing 141 Cong. Rec. H8469-70 (daily ed. Aug. 4, 1995)
(statement of Rep. Cox))).
16
47 U.S.C. § 230(c)(1).
17
Force, 934 F.3d at 63 (quoting LeadClick, 838 F.3d at 173).
18
47 U.S.C. § 230(e).
19
Zoe Bedell and John Major, What’s Next for Section 230? A Roundup of Proposals Lawfare, (July 29, 2020)
https://www.lawfareblog.com/whats-next-section-230-roundup-proposals (last visited Feb. 25, 2021).
20
Id; United States Department of Justice, Department of Justice’s Review of Section 230 of the Communications Decency
Act of 1996, https://www.justice.gov/archives/ag/department-justice-s-review-section-230-communications-decency-act-
1996 (last visited Feb. 25, 2021); EARN IT Act of 2020, S.3398, 116th Cong. (2020).
21
Bedell, supra note 27; PACT Act, S.4066, 116th Cong. (2020); BAD ADS Act, S.4337, 116th Cong. (2020).
22
Bedell, supra note 27; Limiting Section 230 Immunity to Good Samaritans Act, S.3983, 116th Cong. (2020)
23
See Kaitlyn Tiffany, The Supreme Court Considers the Algorithm (Feb. 1, 2023)
https://www.theatlantic.com/technology/archive/2023/02/supreme-court-section-230-twitter-google-algorithm/672915/ (last
visited April 5, 2023). BILL: CS/SB 262 Page 5
users based on their viewing history.
24
The district court granted Google’s motion to dismiss
based on Section 230, and the U.S. Court of Appeals for the Ninth Circuit affirmed.
25
Search Engines
Search engines work by crawling billions of webpages, indexing the webpages, and then
providing them to the person typing a query into the search engine.
26
A web crawler, also known
as a bot, is a program that systematically browses the web to copy pages that are then processed
by a search engine.
27
Next, the pages are indexed for easy retrieval.
28
Each search engine uses their own algorithm, which determines the order pages appear.
29
Some
choose to put emphasis on things like user experience, while others focus on content quality or
link building.
30
Then a series of equations are used to determine where each piece of content
should rank.
31
Trade Secrets
Generally, trade secrets are intellectual property rights on confidential information that are used
by a business and provide an economic advantage to that business.
32
Section 812.081, F.S., defines a “trade secret” as information
33
used in the operation of a
business, which provides the business an advantage or an opportunity to obtain an advantage,
over those who do not know or use it. The test provided for in statute, and adopted by Florida
courts,
34
requires that a trade secret be actively protected from loss or public availability to any
person not selected by the secret’s owner to have access thereto, and be:
Secret;
Of value;
For use or in use by the business; and
Of advantage to the business, or providing an opportunity to obtain an advantage, over those
who do not know or use it.
35
24
See Gonzalez v. Google LLC, 2 F.4
th
871 (9
th
Cir. 2021).
25
Id.
26
See Anthony Schultes, How Do Search Engines Work (Sep. 9, 2021) available at
https://www.seerinteractive.com/insights/how-do-search-engines-work (last visited April 5, 2023).
27
See Cem Dilmegani, Web Crawler: What it is, How it works & Applications in 2023 (March 6, 2023) available at
https://research.aimultiple.com/web-crawler/ (last visited April 5, 2023).
28
Id.
29
See Anthony Schultes, How Do Search Engines Work (Sep. 9, 2021) http://www.seerinteractive,cin/insights/how-do-
search-engines-work (last visited April 5, 2023).
30
Id.
31
Id.
32
See The Florida Bar, Trade Secret (Dec. 14, 2022) https://www.floridabar.org/practice-areas/trade-secrets/ (last visited
April 5, 2023).
33
A trade secret may manifest as any scientific, technical, or commercial information, including any design, process,
procedure, list of suppliers, list of customers, business code, or improvement thereof. Section 812.081, F.S.
34
See, e.g., Sepro Corp. v. Dep’t. of Envt’l. Prot., 839 So. 2d 781 (Fla. 1
st
DCA 2003).
35
Section 812.081(1)(c), F.S. BILL: CS/SB 262 Page 6
Penalties
Florida law criminalizes the disclosure or theft of trade secrets. For example:
Section 815.04, F.S., makes it a third degree felony
36
for a person to willfully, knowingly,
and without authorization disclose or take data, programs, or supporting documentation that
are trade secrets that reside or exist internal or external to a computer, computer system,
computer network, or electronic device.
37
Section 812.081, F.S., makes it a third degree felony for a person to steal, embezzle, or copy
without authorization an article that represents a trade secret, when done with an intent to:
o Deprive or withhold from the trade secret’s owner the control of a trade secret, or
o Appropriate a trade secret to his or her own use or to the use of another.
A number of statutes also provide non-criminal protections for trade secrets. The majority of
these statutes provide public record exemptions for trade secrets,
38
but others provide procedural
safeguards or civil remedies instead.
39
Consumer Data Privacy Overview
Around 84 percent of Americans say they feel very little or no control over the data that is
collected about them by both the government and private companies.
40
Business technology to
collect and analyze data has grown, and companies regularly capture, store, and analyze data on
their consumers.
41
While consumers often willingly agree to terms-of-service agreements to
provide their data in exchange for free services, they are unaware of the extent to which that data
is then used because the agreements are lengthy, overly-complicated, or simply not read by the
consumer.
42
Consumer data is most commonly tracked through the placement of ‘cookies’—files that a
website places in the user’s device that allow for tracking across websites.
43
Another common
tracker is a “fingerprinter,” which creates a unique profile of the device, and allows the collector
to gather information tied to that device.
44
These technologies allow websites to store a password
36
A third degree felony is punishable by up to 5 years imprisonment and a $5,000 fine. (ss. 775.082 and 775.083, F.S.)
37
The offense is a second degree felony if committed for the purpose of creating or executing any scheme or artifice to
defraud or to obtain property.
38
Sections 119.071(1)(f), 125.0104(9)(d), 288.1226(8), 331.326, 365.174, 381.83, 403.7046(2)-(3), 403.73, 499.012(g), (m),
499.0121(7), 499.051(7), 499.931, 502.222, 570.48(3), 573.123(2), 581.199, 601.10(8)(a), 601.15(7)(d), 601.152(8)(c),
601.76, and 815.045, F.S.
39
Sections 721.071 and 812.035, F.S.
40
Brooke Auxier, Lee Rainie, Monica Anderson, Andrew Perrin, Madhu Kumar, and Erica Turner, PEW RESEARCH CENTER,
Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over their Personal Information at 7 (Nov. 15,
2019), available at https://www.pewresearch.org/internet/wp-content/uploads/sites/9/2019/11/Pew-Research-
Center_PI_2019.11.15_Privacy_FINAL.pdf (last visited April 5, 2023).
41
Max Freedman, BUSINESS NEWS DAILY, How Businesses are Collecting Data (and What They’re Doing With It) (Jun. 17,
2020), available at https://www.businessnewsdaily.com/10625-businesses-collecting-data.html (last visited April 5, 2023).
42
Jessica Guynn, USA TODAY, What Your Need to Know Before Clicking ‘I Agree’ on That Terms of Service Agreement or
Privacy Policy (Jan. 28, 2020),available at https://www.usatoday.com/story/tech/2020/01/28/not-reading-the-small-print-is-
privacy-policy-fail/4565274002/ (last visited April 5, 2023).
43
NPR.org, Online Trackers Follow our Digital Shadow by ‘Fingerprinting’ Browsers, Devices (Sep. 26, 2016), available at
https://www.npr.org/sections/alltechconsidered/2016/09/26/495502526/online-trackers-follow-our-digital-shadow-by-
fingerprinting-browsers-devices (last visited April 5, 2023).
44
Id. BILL: CS/SB 262 Page 7
that a consumer previously entered, and to follow the consumer’s use patterns at other websites
and to tailor their activities and advertisements to the consumer as a result of information it
gleans.
45
Certain commercial businesses collect this information and create a consumer profile
that describes possible interests or characteristics, and ultimately target ads for their products at
the consumer.
46
Other companies—data brokers—collect and sell or share consumer data as their
main business operation.
47
Generally, the types of consumer data that businesses collect are:
48
Personal data, which includes personally identifiable information, such as Social Security
numbers and gender, as well as identifiable information, including IP addresses, web browser
cookies, and device IDs;
Engagement data, which details how consumers interact with a business’ website, mobile
apps, social media pages, emails, paid ads, and customer service routes;
Behavioral data, which includes transactional details such as purchase histories, product
usage information, and qualitative data; and
Attitudinal data, which encompasses metrics on consumer satisfaction, purchase criteria,
product desirability, and more.
Federal and state governments have addressed data privacy and security to a certain extent,
largely by targeting specific industries (e.g., healthcare and financial institutions) or types of data
(such as children’s personal information).
49
However, no federal law exists that comprehensively
regulates how entities across all industries collect and use consumer data.
50
States have recently
begun to legislate more comprehensively to protect data privacy.
51
General Data Protection Regulation (GDPR)—European Union
The GDPR protects individual personal data and restricts entities’ use of personal data,
especially those that exercise overall control over the purpose and means of processing personal
data (controllers) or that process data on behalf of, or at the instruction of controllers
45
Wharton School of Business, University of Pennsylvania, Your Data is Shared and Sold…What’s Being Done About It?
(Oct. 28, 2019), available at https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/ (last visited April 5,
2023).
46
See supra, note 10
47
Lois Beckett, PROPUBLICA, Everything We Know About What Data Brokers Know About You (June 13, 2014), available at
https://www.propublica.org/article/everything-we-know-about-what-data-brokers-know-about-you (last visited April 3,
2023). See also Louise Matsakis, Wired, The WIRED Guide to Your Personal Data (and Who is Using It), (Feb. 15, 2019),
available at https://www.wired.com/story/wired-guide-personal-data-collection/ (last visited April 5, 2023).
48
Freedman, supra, note 10.
49
Stephen Mulligan, Wilson Freeman, Chris Linebaugh, Congressional Research Service, Data Protection Law: An
Overview at 7-8 (Mar. 25, 2019), available at https://crsreports.congress.gov/product/pdf/R/R45631 (last visited April 5,
2023).
50
Wilson Freeman, Congressional Research Service, California Dreamin’ of Privacy Regulation: The California Consumer
Privacy Act and Congress (Nov. 1, 2018), available at https://crsreports.congress.gov/product/pdf/LSB/LSB10213/3 (last
visited April 5, 2023).
51
NCSL, 2021 Consumer Data Privacy Legislation (Dec. 27, 2021),available at
https://www.ncsl.org/research/telecommunications-and-information-technology/2021-consumer-data-privacy-legislation.aspx
(last visited April 5, 2023). BILL: CS/SB 262 Page 8
(processors).
52
A controller or processor is required to comply with the GDPR if it has activity in
the European Union—even a minimal one, and regardless of where the data processing occurs.
53
Personal data is defined as any information that relates to an identified or identifiable person, and
can include names, identification numbers, location data, cookies, and any other information
through which an individual can be directly or indirectly identified.
54
A processor and controller
must receive express consent from an individual before they can collect or process his or her
personal data. The language must give a clear choice that is not based on an overbroad or overly
complex question.
55
The GDPR requires entities subject to the GDPR to provide individuals with a report of their
data that is processed, where it is processed, and why it is being processed.
56
This report must be
provided to the individual within one month of his or her request.
57
If an individual makes a
request that an entity correct or delete his or her personal data held by an entity, the entity must
do so.
58
State Data Privacy Regulations
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The CCPA (2018) defines personal information as that which identifies, relates to, describes, or
is capable of being associated with or could reasonably be linked, directly or indirectly, with a
particular consumer or household.
59
The CCPA grants consumers greater control over their
personal information by, among other provisions, creating the following consumer rights, to:
60
Know about the personal information that a business collects, specifically about the
consumer, and how it is used and shared;
Delete collected personal information with some exceptions;
Opt out of the sale of personal information; and
Be treated equally by covered businesses, whether or not an individual has exercised a right
granted by the CCPA.
Additionally, the CCPA requires business to give consumers certain notices that explain their
52
See generally, Stephen Mulligan, Wilson Freeman, Chris Linebaugh, CONGRESSIONAL RESEARCH SERVICE, Data
Protection Law: An Overview p. 42 (Mar. 25, 2019), available at https://crsreports.congress.gov/product/pdf/R/R45631 (last
visited April 5, 2023).
53
GDPR, art. 3.
54
GDPR, art. 4(1). See, U.K. Information Commissioner’s Office, Guide to General Data Protection Regulation: What is
Personal Data? available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-
protection-regulation-gdpr/key-definitions/what-is-personal-data/ (last visited April 5, 2023).
55
U.K. Information Commissioner’s Office, Guide to General Data Protection Regulation: Consent, available at
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-
basis-for-processing/consent/ (last visited April 5, 2023).
56
Mark Kaelin, TECHREPUBLIC, GDPR: A Cheat Sheet (May 23, 2019), available at
https://www.techrepublic.com/article/the-eu-general-data-protection-regulation-gdpr-the-smart-persons-guide/ (last visited
April 5, 2023).
57
GDPR, arts. 12(3), 15.
58
U.K. Information Commissioner’s Office, Guide to General Data Protection Regulation: Right to Erasure, available at
Right to erasure | ICO (last visited April 5, 2023).
59
Cal. Civ. Code § 1798.140(v)(1).
60
California Department of Justice, Office of the Attorney General, California Consumer Privacy Act (CCPA), available at
https://oag.ca.gov/privacy/ccpa (last visited April 5, 2023). BILL: CS/SB 262 Page 9
privacy practices and provide certain mechanisms to allow consumers to opt-out or exercise
other rights regarding their personal information.
The CCPA applies to for-profit businesses that do business in California and that meet any of the
following requirements:
61
Have a gross annual revenue of over $25 million;
Buy, receive, or sell the personal information of 100,000 or more California residents,
households, or devices; or
Derive 50 percent or more of their annual revenue from selling California residents’ personal
information.
The law is largely enforced by the Attorney General, and businesses are subject to fines for
violating the law. A consumer may only bring a cause of action against a business if certain
categories of personal information tied to his or her name have been stolen in a nonencrypted and
nonredacted form.
62
The CPRA, which was approved by voters in a 2020 statewide ballot measure and took effect on
January 1, 2023, amends and expands upon the CCPA.
The CPRA broadens consumers’ rights by allowing them to:
63
Prevent businesses from sharing their personal information (CCPA prevents businesses from
selling it);
Correct their inaccurate personal information; and
Limit a business’ use of their sensitive personal information, which includes information
such as a consumer’s geolocation, race, ethnicity, religion, genetic data, private
communications, sexual orientation, and specific health information.
The CPRA now applies to businesses that not only sell personal information, but also ones that
share it. Additionally, the CPRA now prohibits sharing of data between different entities that
make up a joint venture.
64
The CPRA also provides that a business that collects personal information cannot retain a
consumer’s personal information or sensitive personal information for longer than is reasonably
necessary.
65
Virginia Consumer Data Protection Act
The Virginia Consumer Data Protection Act (Virginia Act) takes effect on January 1, 2023. The
Virginia act grants consumers the right to access, correct, delete, obtain a copy of, and opt out of
61
Cal. Civ. Code § 1798.140.
62
Cal. Civ. Code ss. 1798.130, 1798.135.
63
Elizabeth Shirley, Overview of Applicability and Updated Privacy Provisions in the California Privacy Rights and
Enforcement Act of 2020 (CPRA) (Jun. 10, 2021), available at https://www.jdsupra.com/legalnews/overview-of-
applicability-and-updated-5551553/ (last visited April 5, 2023).
64
Id.
65
Mario Meeks, JDSUPRA, The CPRA’s Storage Limitation Requirement is Coming—Practical Tips for Shoring Up Your
Record Retention Practices to Comply (Feb. 18, 2021), available at https://www.jdsupra.com/legalnews/the-cpra-s-storage-
limitation-9898179/ (last visited April 5, 2023). BILL: CS/SB 262 Page 10
the processing of their personal data for the purposes of targeted advertising.
66
The Virginia Act
defines “consumer” only as a natural person who is a resident of Virginia and acts only in an
individual or household context.
67
Businesses are subject to the Virginia Act if they operate in Virginia and either (1) control or
process personal data of 100,000 or more consumers or (2) derive over 50 percent of their gross
revenue from the sale of personal data and control or process personal data of at least 25,000
consumers.
68
The Virginia Act exempts specific entities that are otherwise regulated by specific federal law,
including those regulated by the GLBA and HIPAA. The Virginia Act also exempts Virginia
public entities, nonprofit organizations, and higher education institutions.
69
In a similar vein, the
Virginia Act exempts specific personal information, where the collection and use thereof is
otherwise regulated by FCRA, FERPA, and COPPA.
70
The Virginia Attorney General has exclusive authority to enforce the Virginia Act.
71
Colorado Privacy Act
The Colorado Privacy Act (Colorado Act) will take effect on July 1, 2023.
72
Generally, with
regard to personal data, the Colorado Act grants a consumer the right to:
73
Access data;
Correct data;
Delete data;
Data portability;
Opt out of the sale of personal information, targeted advertising, and profiling;
Appeal; and
Non-discrimination.
Like the CCPA and Virginia Act, the Colorado Act contains exceptions for certain types of data
and information governed by federal law. It provides that the Attorney General has exclusive
66
Va. Code Ann. § 59.1-573 (2020). See also, Colleen Brown, Alan Raul, Lauren Kitces, Sidley LLP, East Coast Meet West
Coast: Enter the Virginia Consumer Data Privacy Protection Act (Mar. 5, 2021), available at
https://www.sidley.com/en/insights/newsupdates/2021/03/east-coast-meets-west-coast-enter-the-virginia-consumer-data-
protection-act (last visited April 5, 2023).
67
Va. Code Ann. § 59.1-571 (2020).
68
Va. Code Ann. § 59.1-572 A (2020).
69
Va. Code Ann. § 59.1-572 B (2020).
70
Va. Code Ann. § 59.1-572 C (2020).
71
See generally, Kurt Hunt and Matthew Diaz, JDSUPRA, Virginia Becomes 2
nd
State to Adopt a Comprehensive Consumer
Data Privacy Law (Mar. 4, 2022), available at https://www.natlawreview.com/article/virginia-becomes-2nd-state-to-adopt-
comprehensive-consumer-data-privacy-law (last visited April 5, 2023).
72
C.R.S. 1-6-1301-1313, available at https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf (last visited April 5,
2023).
73
The National Law Review, And Now There are Three…The Colorado Privacy Act, July 16, 2021, available at
https://www.natlawreview.com/article/and-now-there-are-three-colorado-privacy-
act#:~:text=Colorado%20has%20now%20joined%20California,effect%20on%20July%201%2C%202023. (last visited April
5, 2023). BILL: CS/SB 262 Page 11
authority to enforce violations of the law, and does not provide a private cause of action to a
consumer. The Colorado Act applies to persons conducting business in the state that either:
74
Control or process personal data of 100,000 or more consumers during a calendar year; or
Derive revenue or receive discounts from the sale of personal data and control or process
data of at least 25,000 consumers.
The Colorado Act does not bestow a private right of action. The Colorado Attorney General has
exclusive enforcement authority to prosecute violations as deceptive trade practices.
75
Utah Consumer Privacy Act
The Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023.
76
Generally,
with regard to personal data, the UCPA grants a consumer the right to:
Access data;
Delete data;
Obtain a copy of data;
Opt out of the sale of data; and
Opt out of targeted advertising.
77
Unlike the CCPA, the Colorado Act, and the Virginia Act, the UCPA does not provide
consumers with the ability to correct personal data.
78
The UCPA applies to a controller or
processor that conducts business in Utah or produces a product or service targeted to Utah
residents, has annual revenues of $25,000,000 or more, and satisfies at least one of the following
thresholds:
During a calendar year, controls or processes the personal data of 100,000 or more Utah
residents; or
Derives over 50% of its gross revenue from the sale of personal data, and controls or
processes the personal data of 25,000 or more consumers.
79
The UCPA does not provide a private right of action. The Utah Attorney General will enforce
the law.
80
Florida Information Protection Act (FIPA)
81
FIPA is a data security measure that requires governmental entities, specific business entities,
and any third-party agent that holds or processes personal information on behalf of these entities
to take reasonable measures to protect a consumer’s personal information. Additionally, FIPA
74
Id.
75
Weiner Brodsky Kider, PC, Colorado Enhances Data Privacy for Consumers (Aug. 10, 2021), available at
https://www.jdsupra.com/legalnews/colorado-enhances-data-privacy-for-7292123/ (last visited April 5, 2023).
76
The National Law Review, Utah Becomes Fourth U.S. State to Enact Consumer Privacy Law (March 24, 2022), available
at Utah Consumer Privacy Act Passed - UCPA Legislation (natlawreview.com) (last visited April 5, 2023).
77
Id.
78
Id.
79
Id.
80
Id.
81
Section 501.171, F.S.; Chapter 2014-189, Laws of Fla. (FIPA expanded and updated Florida’s data breach disclosure laws
contained in s. 817.5681, F.S. (2013), which was adopted in 2005 and repealed in 2014). BILL: CS/SB 262 Page 12
requires covered business entities
82
that are subject to data breaches to attempt to remediate the
breach by notification to affected consumers in Florida, and in cases where more than 500
individual’s information was breached—by additional notification to the Department of Legal
Affairs (DLA).
83
If the breach affected more than 1,000 individuals in Florida, the entity must
also notify credit reporting agencies, with certain exceptions.
84
FIPA defines “personal information” as:
Online account information, such as security questions and answers, email addresses, and
passwords; and
An individual’s first name or first initial and last name, in combination with any one or more
of the following information regarding him or her:
o A social security number;
o A driver license or similar identity verification number issued on a government
document;
o A financial account number or credit or debit card number, in combination with any
required security code, access code, or password that is necessary to permit access to an
individual’s financial account;
o Medical history information or health insurance identification numbers; or
o An individual’s health insurance identification numbers.
85
Personal information does not include information:
About an individual that a federal, state, or local governmental entity has made publicly
available; or
That is encrypted, secured, or modified to remove elements that personally identify an
individual or that otherwise renders the information unusable.
86
FIPA does not provide a private cause of action, but authorizes the DLA to file charges against
covered entities under Florida’s Unfair and Deceptive Trade Practices Act (FDUTPA).
87
In addition to the remedies provided for under FDUTPA, a covered entity that fails to notify
DLA, or an individual whose personal information was accessed, of the data breach is liable for a
civil penalty of $1,000 per day for the first 30 days of any violation; $50,000 for each subsequent
30-day period of violation; and up to $500,000 for any violation that continues more than 180
days. These civil penalties apply per breach, not per individual affected by the breach.
Illinois Biometric Information Privacy Act
In 2008, Illinois became the first state to specifically regulate biometric data with the passage of
the Biometric Information Privacy Act (BIPA). BIPA puts in place safeguards and procedures
82
A “covered entity” is a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other
commercial entity that acquires, maintains, stores, or uses personal information. Section 501.171(1)(b), F.S.
83
Florida Office of the Attorney General (OAG), How to Protect Yourself: Data Security, available at
http://myfloridalegal.com/pages.nsf/Main/53D4216591361BCD85257F77004BE16C (last visited April 5, 2023). Section
501.171(3)-(4), F.S.
84
Section 501.171(3)-(6), F.S.
85
Section 501.171(1)(g)1., F.S.; OAG supra note 41.
86
Section 501.171(1)(g)2., F.S.
87
Section 501.171(9), (10), F.S.; OAG supra note 41. BILL: CS/SB 262 Page 13
that relate to the retention, collection, disclosure, and destruction of biometric information and
specifically protects the biometric information of those in Illinois.
BIPA defines biometric data as a retina or iris scan, fingerprint, voiceprint, or scan of hand or
face geometry.
Under BIPA, a private entity:
88
That possesses biometric data must have a written policy that establishes a retention schedule
and guidelines for permanently destruction of such data;
Cannot collect, capture, purchase, receive through trade, or otherwise obtain biometric data
unless it receives an informed release from the subject;
Cannot profit from a person’s biometric data;
Cannot disseminate a person’s biometric data unless the subject consents or provides
authorization, or the entity is required by law or a valid warrant or subpoena; and
Must store, transmit, and protect biometric data with a reasonable standard of care and in a
manner as or more protective as other confidential and sensitive information.
BIPA provides a private cause of action, with relief including liquidated damages, ranging from
$1,000 to $5,000 or actual damages (whichever is greater), attorney’s fees and costs, and other
relief deemed appropriate by a court.
89
The Illinois Supreme Court found that an individual does not need to allege an actual injury or
adverse effect, beyond violation of their rights under BIPA, to qualify as an aggrieved party.
Therefore, anyone whose biometric data is affected by a violation of BIPA may seek liquidated
damages or injunctive relief under BIPA.
90
Court documents also tend to support the notion that
an individual in Illinois has a valid cause of action if their biometric data is taken without
consent by a private entity, including out-of-state entities, but it is subject to a finding of fact.
91
Federal Privacy Regulations
Health Insurance Portability and Accountability Act (HIPAA)
92
and its Related Rules
HIPPA requires federal agencies to create national standards to protect sensitive patient health
information from disclosure without the patient’s consent or knowledge. HIPPA’s two pertinent
implementing rules are the Privacy Rule and the Security Rule.
93
88
740 Ill. Comp. Stat. 14/10, 14/15 (2008).
89
740 Ill. Comp. Stat. 14/20 (2008).
90
See Rosenbach v. Six Flags Entertainment Corporation, 2019 IL 123186.
91
See Rivera v. Google, Inc., 238 F.Supp.3d 1088 (N.D. Ill. 2017); See also In re Facebook Biometric Information Privacy
Litigation, 185 F.Supp.3d 1155 (N.D. Cal. (2016).; See also Norberg v. Shutterfly, Inc., 152 F.Supp.3d 1103 (N.D. Ill. 2015).
92
42 U.S.C. § 1320.
93
See generally, Stephen Mulligan, Wilson Freeman, Chris Linebaugh, Congressional Research Service, Data Protection
Law: An Overview pp. 10-12 (Mar. 25, 2019), available at https://crsreports.congress.gov/product/pdf/R/R45631 (last visited
April 5, 2023). BILL: CS/SB 262 Page 14
The Privacy Rule addresses the use and disclosure of individual’s protected health information
(PHI) by covered entities.
94, 95
PHI is information, including demographic data, that can be used
to identify the individual, and that relates to the individual’s:
Past, present, or future physical or mental health or physical condition;
Health care; or
Payment for past, present, or future health care.
A common example of PHI is a patient’s name, address, birth date, or social security number.
However, PHI does not include deidentified health information or employment-related records.
The Privacy Rule protects PHI that is held or transmitted by a covered entity or its business
associate by preventing covered entities from disclosing PHI without the patient’s consent or
knowledge unless it is being used or shared for treatment, payment, or healthcare operations or
for another exempt purpose.
These covered entities must prominently post an electronic notice and give notice upon a specific
request to patients regarding the manners in which they use and disclose PHI. A covered entity
must also provide an accounting of disclosures it has made of a patient’s PHI upon his or her
request as well as a copy of his or her PHI.
The Security Rule applies to the subset of identifiable health information that a covered entity
creates, receives, maintains, or transmits in electronic form called “electronic protected health
information” (e-PHI).
96
The Security Rule does not apply to PHI that is transmitted orally or in
writing. A covered entity must comply with the Security Rule by:
Ensuring the confidentiality, integrity, and availability of all e-PHI;
Detecting and safeguarding against anticipated threats to the security of the information;
Protecting against anticipated uses or disclosures; and
Certifying compliance by their workforce.
The Department of Health and Human Services may institute a civil enforcement under HIPPA
and may seek civil penalties. The Department of Justice may institute criminal proceedings
against a violator who knowingly obtained or disclosed PHI. There is no private cause of action
under HIPPA.
Federal Policy for the Protection of Human Subjects (“Common Rule”)
The Common Rule is promulgated by the U.S. Food and Drug Administration (FDA) and
governs the ethical conduct of research involving human subjects.
97
Fifteen federal agencies and
departments are party to this rule. The Common Rule mandates that researchers protect the
94
45 C.F.R. §160 and 164. See also, Department of Health and Human Services, Summary of the HIPPA Privacy Rule, (Jul.
26, 2013) available at https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html (last visited April 5,
2023).
95
A covered entity is a health plan, health care clearinghouse, health care provider who transmits health information in
electronic form, and these entities’ business associates.
96
45 C.F.R. §164.302-318.
97
21 C.F.R. §§ 50, 60. BILL: CS/SB 262 Page 15
privacy of subjects and maintain confidentiality of human subject data, among other
requirements.
98
The FDA is a member of the International Council for Harmonisation of Technical Requirements
for Pharmaceuticals for Human Use, which brings together the regulatory authorities and the
pharmaceutical industry to develop guidelines for pharmaceutical trials.
99
Fair Credit Reporting Act (FCRA)
100
The FCRA promotes the accuracy, fairness, and privacy of information that consumer reporting
agencies and their related entities collect.
101
The FCRA governs the acts of credit reporting
agencies (CRAs), entities that furnish information to CRAs (furnishers), and individuals who use
credit reports issued by CRAs. Specifically, CRAs and their furnishers must adopt methods to
ensure the information they collect and report is accurate.
Individuals can review the information a CRA has collected on them to ensure that it is accurate,
and may dispute its accuracy—which triggers a CRA’s and furnisher’s duty to reinvestigate the
information. Individuals may also request to review the information a CRA has in his or her file,
the sources of the information, and the identity of those to whom the information was disclosed.
A CRA cannot provide information in a consumer report to anyone who does not have a
specified purpose in the FCRA.
102
The FTC and Consumer Finance Protection Bureau share civil enforcement authority of the
FCRA. A person who willfully obtains consumer information from a CRA under false pretenses
is subject to criminal prosecution. An individual may also pursue a private right of action if he or
she was injured by willful or negligent actions.
103
98
See generally, Health and Human Services, Federal Policy for the Protection of Human Subjects (‘Common Rule’) (Mar.
18, 2016), available at https://www.hhs.gov/ohrp/regulations-and-policy/regulations/common-rule/index.html (last visited
April 5, 2023).
99
International Council for Harmonisation, available at https://www.ich.org/ (last visited April 5, 2023).
100
15 U.S.C. §1681.
101
Consumer Finance Bureau, A Summary of Your Rights Under the Fair Credit Reporting Act (Sept. 18, 2018), 12 CFR
1022, available at A Summary of Your Rights Under the Fair Credit Reporting Act (ftc.gov) (last visited April 5, 2023). See
also, Federal Trade Commission, Fair Credit Reporting Act, available at https://www.ftc.gov/enforcement/statutes/fair-
credit-reporting-act (last visited April 5, 2023).
102
Permissible purposes include employment, insurance underwriting that involves the consumer, evaluating the consumer’s
eligibility for licensure or other governmental benefit that considers the applicants financial responsibility or status, or a
legitimate business need. 15 U.S.C. § 1681b(a).
103
An individual may record actual damages, attorney’s fees, litigation costs, and in the case of willful violations—statutory
damages ranging from $100 to $1,000 and punitive costs as the court deems appropriate. 15 U.S.C. § 1681n(a). BILL: CS/SB 262 Page 16
Gramm-Leach Bliley Act (GLBA)
104
The GLBA governs financial institutions’ use and protection of nonpublic personal information
(NPI).
105
A financial institution is any institution that engages in financial activities, such as
banks, real estate appraisers and title companies, consumer-financing companies, insurance
underwriters and agents, wire transfer agencies, check cashing stores, and mortgage brokers.
106
A financial institution cannot share (1) NPI with non-affiliated third parties unless they notify the
consumer of their intent to do so and provide a chance to opt out; and (2) a consumer’s account
or credit card numbers with third parties for direct marketing. The financial institution must also
send an annual notice to the consumer that clearly and conspicuously describes the institution’s
privacy policies and practices.
107
The financial institution must also ensure the security and confidentiality of a customer’s NPI by
establishing concrete security policies, and by designating an information security program
coordinator and implementing a risk assessment process.
108
The Consumer Financial Protection Bureau, Federal Trade Commission, and federal banking
agencies share civil enforcement authority of the GLBA. Certain civil remedies and criminal
liabilities are available for violations of the data security and protection provisions of the GLBA,
but there is no private cause of action.
Children’s Online Privacy Protection Act (COPPA)
109
COPPA and its related rules regulate websites’ collection and use of children’s information. The
operator of a website or online service that is directed to children, or that has actual knowledge
that it collects children’s personal information (covered entities), must comply with requirements
regarding data collection and use, privacy policy notifications, and data security.
COPPA defines personal information as individually identifiable information about an individual
that is collected online, including:
A first and last name;
A home or other physical address, e-mail address, telephone number, or any other identifier
that the FCC determines could permit one to contact someone physically or online, such as a
screen name;
A social security number;
104
15 U.S.C. §§ 6801-6809. See generally, Stephen Mulligan, Wilson Freeman, Chris Linebaugh, Congressional Research
Service, Data Protection Law: An Overview pp. 8-10 (Mar. 25, 2019), available at
https://crsreports.congress.gov/product/pdf/R/R45631 (last visited April 5, 2023).
105
The GLBA defines “nonpublic personal information” as “personally identifiable information” that is not publicly available
and is either provided by the consumer to a financial institution, resulting from any transaction with the consumer or any
service performed for the consumer, or otherwise obtained by the financial institution. 15 U.S.C. § 6809(9).
106
Federal Trade Commission, Financial Institutions and Customer Information: Complying with the Safeguards Rule: Who
Must Comply?, available at https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-
information-complying (last visited April 5, 2023).
107
The notice must specifically include the categories of NPI the financial institution collects and discloses, the types of third
parties with which it shares NPI, and how it protects consumers’ NPI.
108
See, 16 C.F.R. § 314.4
109
16 C.F.R. pt. 312. BILL: CS/SB 262 Page 17
A persistent identifier that can be used to recognize a user over time and across different
websites;
A photograph, video, or audio file that contains a child’s image or voice;
A geolocation information that is sufficient to identify the user’s location; or
Information concerning the child or parents that the operator collects from the child and
combines with any other identifier described above.
A covered entity may not collect a child’s (individual under the age of 13) personal information
without the prior, verifiable consent of his or her parent.
110
COPPA further requires covered entities to:
111
Give parents direct notice of their privacy policies, including a description of their data
collection and sharing practices;
Post a clear link to their privacy policies on their home page and at each area of their website
where they collect personal information from children;
Institute procedures to protect the personal information that they hold;
Ensure that any third party with which they share collected personal information implements
the same protection procedures; and
Delete children’s personal information after the purpose for its retention has been fulfilled.
Violations of COPPA are an unfair or deceptive act or practice and are prosecuted by the FTC.
COPPA also authorizes state attorneys general to enforce violations that affect residents of their
states. There is no criminal prosecution or private right of action provided for under COPPA.
112
Driver’s Privacy Protection Act (DPPA)
113
The DPPA prohibits state Departments of Motor Vehicle (DMVs) from releasing an individual’s
personal information obtained by the DMV in connection with a motor vehicle record, subject to
certain exceptions, such as a legitimate government need. Additionally, the DPPA requires
DMVs to obtain an individual’s consent to enable the sale or release of personal motor vehicle
record to a third-party marketer.
Violations of the DPPA are subject to criminal fine. Additionally, a private individual affected
by the improper disclosure or use of his or her personal information may bring a private civil
action against the violator.
114
110
15 U.S.C. §§ 6502(a)-(b).
111
See, Federal Trade Commission, General Questions About the COPPA Rule: What is the Children’s Online Privacy
Protection Rule?(Jul. 2020), available at https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-
frequently-asked-questions-0 (last visited April 5, 2023).
112
Federal Trade Commission, General Questions About the COPPA Rule: COPPA Enforcement, available at
https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions-0 (last visited April
5, 2023).
113
18 U.S.C. §2721.
114
18 U.S.C. § 2724. See generally, Electronic Privacy Information Center, The Drivers Privacy Protection Act (DPPA) and
the Privacy of Your State Motor Vehicle Record, available at The Drivers Privacy Protection Act (DPPA) and the Privacy of
Your State Motor Vehicle Record – EPIC – Electronic Privacy Information Center (last visited April 5, 2023). BILL: CS/SB 262 Page 18
Family Educational Rights and Privacy Act (FERPA)
115
FERPA protects the privacy of student’s education records. The law applies to any school that
receives applicable funds from the U.S. Department of Education. FERPA grants parents certain
rights respecting their child’s education records, and this privacy right transfers to the student
when he or she reaches age 18 or attends a post-secondary school.
Schools may disclose, without consent, directory information, such as a student’s name, address,
telephone number, birthday, place of birth, honors and awards, and dates of attendance.
However, schools must disclose and allow parents and students to opt out of the disclosure of
their directory information.
Schools must give an annual notice about rights granted by FERPA to affected parties.
116
Federal Trade Commission Act (FTC Act)
The FTC protects consumer data privacy by acting under Section 5 of the FTC Act, which bars
unfair and deceptive acts and practices that affect commerce.
117
Specifically, the FTC prosecutes
companies that act unfairly or deceptively when they gather, use, or disclose personal
information in a manner that contradicts their posted privacy policy or other statements, or fail to
implement reasonable data security safeguards.
118
For example, the FTC prosecuted both Sears and Upromise for drafting misleading privacy
policies that did not fully disclose the extent to which a consumer’s online browsing would be
tracked.
119
III. Effect of Proposed Changes:
Governmental Content Moderation of Social Media Platforms
A social media platform is a form of electronic communication through which users create online
communities to share information, ideas, personal messages, and other content.
A governmental entity is any state, county, district, authority, or municipal officer, department,
division, board, bureau, commission, or other separate unit of government created or established
by law.
115
20 U.S.C. §1232(g); 34 C.F.R. § 99.
116
U.S. Department of Education, Family Educational Rights and Privacy Act (FERPA), (Aug. 25, 2021) available at
https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html (last visited April 5, 2023).
117
15 U.S.C. § 1681. Federal Trade Commission, Privacy and Security Enforcement, available at https://www.ftc.gov/news-
events/media-resources/protecting-consumer-privacy/privacy-security-enforcement (last visited April 5, 2023).
118
Stephen Mulligan, Wilson Freeman, Chris Linebaugh, CONGRESSIONAL RESEARCH SERVICE, Data Protection Law: An
Overview p. 30-35 (Mar. 25, 2019), available at https://crsreports.congress.gov/product/pdf/R/R45631 (last visited April 5,
2023).
119
See, e.g., Federal Trade Commission, Membership Reward Service Upromise Penalized for Violating FTC Order (Mar.
17, 2017) Stephen Mulligan, Wilson Freeman, Chris Linebaugh, Congressional Research Service, Data Protection Law: An
Overview p. 42 (Mar. 25, 2019), available at https://crsreports.congress.gov/product/pdf/R/R45631 (last visited April 5,
2023); and Complaint In the Matter of Sears Holdings Mgmt Co., No. C-4264 (F.T.C. Aug. 31, 2009). BILL: CS/SB 262 Page 19
SB 262 creates s. 112.23, F.S., to prohibit an officer or a salaried employee of a governmental
entity from using their position or any state resources to communicate with a social media
platform to request that it remove content or accounts from the social media platform.
Additionally, a governmental entity, or an officer or a salaried employee acting on behalf of a
governmental entity may not initiate or maintain any agreements or working relationships with a
social media platform for the purpose of content moderation.
The bill provides that the above prohibitions to do not apply if the governmental entity or an
officer or a salaried employee acting on behalf of a governmental entity is acting as part of any
of the following:
Routine account management of the government entity’s account;
An attempt to remove content that pertains to the commission of a crime or violation of
Florida’s public records law;
An attempt to remove an account that pertains to the commission of a crime or violation of
Florida’s public records law; or
An investigation or inquiry related to public safety.
Consumer Data Privacy
The bill creates s. 501.173, F.S., to establish specific consumer rights over their personal
information when held by specific controllers or processors, including:
The right to access personal information that is collected about the individual consumer;
The right to delete or correct their personal information; and
The right to opt-out of the sale or sharing of their personal information with third parties.
A “consumer,” as defined by the bill, may exercise these rights. A consumer is any natural
person who resides in, or is domiciled in, Florida and who acts in his or her personal capacity or
household
120
context. The bill does not contemplate individuals who act in a commercial or
employment context.
A controller that receives a verifiable consumer request to access, delete, correct, or opt-out must
comply with the request, with certain exceptions.
Personal Information
The bill defines personal information as information, including biometric, genetic, and unique
identifiers, that is linked, or reasonably capable of being linked, with a particular consumer or
household. The term includes:
Identifiers such as a real name, alias, postal address, unique identifier,
121
online identifier,
internet protocol address, email address, account name, social security number, driver license
number, passport number, or other similar identifiers;
120
The bill defines “household” as a natural person or a group of peole in Florida who reside at the same address, share a
common device or the same service provided by a controller, and are identified by a controller as sharing the same group
account or unique device.
121
The bill defines “unique identifier” as a persisitent identifier that can be used to recognize a consumer, a family, or a
device that is linked to a consumer or a family, over time and across different services. BILL: CS/SB 262 Page 20
Information that identifies, relates to, or describes, or could be associated with, a particular
individual, including, but not limited to, a name, signature, social security number, physical
characteristics or description, address, location, telephone number, passport number, driver
license or state identification card number, insurance policy number, education, employment,
employment history, bank account number, credit card number, debit card number, or any
other financial information, medical information, or health insurance information;
Characteristics of protected classifications under state or federal law;
Commercial information, including records of personal property, products or services
purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
Biometric information;
Internet or other electronic network activity information, including, but not limited to,
browsing history, search history, and information regarding a consumer’s interaction with an
Internet website, application, or advertisement;
Geolocation data;
Audio, electronic, visual, thermal, olfactory, or similar information; and
Inferences drawn from any of the information used to create a profile about a consumer
reflecting the consumer’s preferences, characteristics, psychological trends, predispositions,
behavior, attitudes, intelligence, abilities, and aptitudes.
The term does not include:
Consumer employment contact information and similar information that is used only in an
employment context;
De-identified consumer information or aggregate consumer information; and
Publicly and lawfully available information reasonably believed to be made available to the
general public in a lawful manner and without legal restrictions.
Business Requirements
Controllers
A controller subject to the bill is any sole proprietorship partnership, limited liability company,
corporation, association, or legal entity that:
Is organized or operated for the profit or financial benefit of its shareholders or owners;
Does business in Florida;
Collects consumer personal information, or is the entity that directs such collection;
Determines the purpose and means of processing personal information about consumers,
alone or jointly with others;
Makes in excess of $1 billion in gross revenues, as adjusted in January of every odd-
numbered year to reflect any increase in the Consumer Price Index; and
Satisfies one of the following:
o Derives 50 percent or more of its global annual revenues from providing targeted
advertising
122
or the sale of ads online; or
122
The bill defines “targeted advertising” as marketing to a consumer or displaying an advertisement to a consumer when the
advertisement is selected based on personal information used to predict such consumer’s preferences or interests. BILL: CS/SB 262 Page 21
o Operates a consumer smart speaker and voice command component service with an
integrated virtual assistant connected to a cloud computing service that uses hands-free
verbal activation.
123
Additionally, any entity that controls or is controlled by a controller is considered a controller for
the purposes of the bill.
Processors
A processor is a for-profit business that processes information on behalf of a controller pursuant
to a written contract. The contract between the controller and processor must prohibit the
processor from retaining, using, or disclosing the information for any reason other than that
stated in the contract, and as permitted by the bill.
A processor can only act pursuant to a contract between it and the controller. The contract must
include provisions that:
Prohibit the processor from selling, sharing, retaining, using, or disclosing the personal
information for any purpose that violates s. 501.173, F.S.;
Prohibit the processor from retaining, using, or disclosing the personal information other than
for the purposes specified in the contract or agreement;
Prohibit the processor from combining the personal information that the processor receives
from or on behalf of the controller with personal information that the processor receives from
or on behalf of another person or that the processor collects from its own interaction with the
consumer, provided that the processor may combine personal information to perform any
purpose specified in the contract or agreement and such combination is reported to the
controller;
Govern the processor’s personal information processing procedures with respect to
processing performed on behalf of the controller, including processing instructions, the
nature and purpose of processing, the type of information subject to processing, the duration
of processing, and the rights and obligations of the controller and processor;
Require the processor to return or delete all personal information under the contract to the
controller as requested by the controller at the end of the provision of services, unless
retention of the information is required by law; and
Require the processor to make available to the controller all personal information in its
possession under the contract or agreement, pursuant to the controller’s request.
Additionally, the bill provides that determining whether a person is acting as a controller or
processor with respect to a specific processing of data is a fact-based determination. A contract
between a controller and processor must reflect their respective roles and relationships related to
handling personal information.
If the processor engages a subcontractor, it must require it to meet the same obligations it is
required to meet under the bill.
123
The bill clarifies that a consumer smart speaker and voice command component service does not include a motor vehicle
or speaker or device associated with or connected to a vehicle. BILL: CS/SB 262 Page 22
Third Parties
A third party is any person who is neither a controller, nor a processor. This may include
subcontractors required to engage in data processing, security auditors, or entities that partner
with web retail sites to allow consumers to pay in installments.
A third party is prohibited from selling or sharing personal information about a consumer unless
the consumer is provided an opportunity by such third party to opt out.
A third party that has collected personal information from a controller in accordance with the
requirements in this bill, may use such personal information to advertise or market products or
services that are produced or offered directly by such third party.
A third party that engages a subcontractor must require it to meet the same obligations it is
required to meet under the bill.
General Business Obligations
Generally, a controller that buys, sells, or shares Florida consumers’ personal information is
subject to the bill. The sale of personal information includes the transfer by any means, for actual
monetary or valuable consideration, of consumer personal information by a controller to another
controller or a third party. In contrast, a controller shares consumer personal information when it
transfers it by any means, or allows access to it, for the purpose of advertising or marketing. The
bill specifically includes in its definition of “sharing” (1) allowing a third party to advertise or
market to a consumer based on the consumer’s personal information, without the disclosure of
the personal information to the third party, and (2) transactions between a controller and third
party for advertising and marketing.
General Exemptions from Provisions of the Bill
Controllers, processors, and third parties may be exempt from the duties created by the bill,
depending on the manner in which they use consumer personal information.
The bill does not apply to the collection of personal information:
Used for transactional payments;
Deidentified or aggregate consumer information;
In compliance with federal, state, or local laws;
In compliance with a civil, criminal, or regulatory inquiry, investigation, subpoena, or
summons by federal, state, or local authorities;
In cooperation with law enforcement agencies concerning conduct reasonably believed to
violate laws;
For the purpose of exercising or defending legal rights, claims, or privileges;
Collected through direct interactions with the consumer, which is used for advertising or
marketing services to advertise or market products or services that are produced or offered
directly by the controller;
Pertaining to a job applicant, employee, owner, director, officer, contractor, volunteer, or
intern of a controller, to the extent the personal information is collected and used solely
within the context of the person’s role or former role with the controller; BILL: CS/SB 262 Page 23
Pertaining to protected health information for purposes of the federal Health Insurance
Portability and Accountability Act (HIPPA) of 1996 and related regulations;
By a covered entity or business associate governed by the privacy, security, and breach
notification rules issued by the U.S. Department of Health and Human Services in 45 C.F.R.
parts 160 and 164, or a program or a qualified service program defined in 42 C.F.R. part 2;
For purposes of research as defined in 45 C.F.R. s. 164.501, conducted in accordance with
the Federal Policy for the Protection of Human Subjects for purposes of 45 C.F.R. part 46,
the good clinical practice guidelines issued by the International Council for Harmonisation of
Technical Requirements for Pharmaceuticals for Human Use, or the Protection for Human
Subjects for purposes of 21 C.F.R. Parts 50 and 56; or personal information used or shared in
research conducted in accordance with one or more of these standards;
For purposes of compliance with the federal Health Care Quality Improvement Act of 1986
and related regulations, or patient safety work product for purposes of 42 C.F.R. part 3,
established pursuant to 42 U.S.C. s. 299b-21 through 299b-26;
Is deidentified in accordance with 45 C.F.R. part 164 and that is derived from individually
identifiable health information, as described in HIPAA, or identifiable personal information,
consistent with the Federal Policy for the Protection of Human Subjects or the human subject
protection requirements of the United States Food and Drug Administration;
Used only for public health activities and purposes as described in 45 C.F.R. s. 164.512;
That is collected, processed, sold, or disclosed pursuant to the federal Fair Credit Reporting
Act, 15 U.S.C. s. 1681 and its implementing regulations;
That is nonpublic personal information collected, processed, sold, or disclosed pursuant to
the Gramm-Leach-Bliley Act, 15 U.S.C. s. 6801 et seq. and implementing regulations;
By a financial institution, as defined in the Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et
seq.;
That is collected, processed, sold, or disclosed pursuant to the federal Driver's Privacy
Protection Act of 1994, 18 U.S.C. ss. 2721 et. seq.;
That consists of education information covered by the Family Educational Rights and
Privacy Act, 20 U.S.C. s. 1232(g) and 34 C.F.R. part 99;
That is collected as part of public or peer-reviewed scientific or statistical research in the
public interest and which adheres to all other applicable ethics and privacy laws, if the
consumer has provided informed consent;
Disclosed for the purpose of responding to an alert of a present risk of harm to a person or
property or prosecuting those responsible for such activity;
Disclosed when a consumer uses or directs a controller to intentionally disclose information
to a third party or uses the controller to intentionally interact with a third party;
That is an identifier used for a consumer how has opted out of the sale or sharing of the
consumer’s personal information for the sole purpose of alerting processors and third parties
that the consumer has opted out of the sale or sharing of the consumer’s personal
information;
Transferred by a controller to a third party as an asset that is part of a merger, acquisition,
bankruptcy, or other transaction in which the third party assumes control of all or part of the
controller, provided that the information is used or shared consistently;
Necessary to fulfill the terms of a written warranty when such warranty was purchased by the
consumer or the product that is warranted was purchased by the consumer; BILL: CS/SB 262 Page 24
Necessary for a product recall for a product purchased or owned by the consumer conducted
in accordance with federal law;
Processed solely for the purposed of independently measuring or reporting advertising or
content performance, reach, or frequency pursuant to a contract with a controller that
collected personal information in accordance with this bill;
Shared between a manufacturer of a tangible product and authorized third party distributors
or vendors of the product, as long as such information is used solely for advertising,
marketing, or servicing the product that is acquired directly through such manufacturer and
such authorized third party distributors or vendors.
Online Privacy Policy
Controllers that collect personal information about a consumer must maintain a current online
privacy policy that is available on the controller’s homepage.
124
The privacy policy must include:
Any Florida-specific consumer privacy rights;
The types and categories of personal information that they collect, sell, or share, or have
collected, sold, or shared in the past about consumers;
The consumer’s right to request deletion or correction of certain personal information; and
The consumer’s right to opt out of the sale or sharing of their personal information to third
parties.
A controller that collects personal information must at or before the point of collection, inform
the consumer of the categories of personal information that it will collect, and the purposes for
which the categories of information will be used. Additionally, such controllers cannot expand
the scope of their collection of personal information or use that personal information outside of
its initially expressed purpose without first providing the consumer with additional notice
consistent with the requirements of the bill.
Notice of Retention of Personal Information
A controller must adopt and implement a retention schedule that prohibits the use or retention of
personal information by the controller or processor:
After the satisfaction of the initial purpose for which the information was collected or
obtained;
After the expiration or termination of the contract pursuant to which the information was
collected or obtained; or
2 years after the consumer’s last interaction with the controller.
The retention schedule requirement does not apply to personal information that is reasonably
used or retained to do any of the following:
Fulfill the terms of a written warranty or product recall conducted in accordance with federal
law;
124
The bill defines “homepage” as the introductrory page of an Internet website and any Internet webpage where personal
information is collected. In the case of a mobile application, the homepage is the application’s platform page or download
page, a link within the application, such as “About” or “Information” application configurations, or the settings page, and any
other location that allows consumers to review the notice required by the bill, but not limited to, before downloading the
application. BILL: CS/SB 262 Page 25
Provide a good or service requested by the consumer, or reasonably anticipate the request of
such good or service within the context of a controller’s ongoing business relationship with
the consumer;
Detect security threats or incidents; protect against malicious, deceptive, fraudulent,
unauthorized, or illegal activity or access; or prosecute those responsible for such activities.
Debug to identify and repair errors that impair existing functionality;
Engage in public or peer-reviewed scientific, historical, or statistical research in the public’s
interest that adheres to all applicable ethics and privacy laws when the controller’s deletion
would likely render impossible or seriously impair the achievement of the research, if the
consumer first provided informed consent;
Enable internal uses that are reasonably aligned with the expectations of the consumer based
on the relationship with the controller or that are compatible with the context in which the
consumer gave the information;
Comply with a legal obligation, including any state or federal retention laws;
Protect the controller’s interest against existing disputes, legal actions, or governmental
investigations; or
Assure the physical security of persons or property.
Data Security
A controller that collects a consumer’s personal information must implement and maintain
reasonable security procedures and practices to protect personal information from unauthorized
or illegal access, destruction, use, modification, or disclosure. Additionally, a controller must
require any processors to implement and maintain the same or similar security procedures and
practices.
Consumer Rights Based on the Sale of Personal Information
The bill establishes specific consumer rights regarding their personal information, including:
The right to access personal information that was collected about them;
The right to delete or correct their personal information; and
The right to opt-out of the sale or sharing of their personal information with third parties.
The bill prohibits as contrary to public policy any waiver or limitation of a consumer’s rights as
provided by the bill, including the waiver or limitation of the consumer’s right to a remedy or
means of enforcement.
Verifiable Requests
A consumer must make a verifiable request to exercise their rights to know, delete, or correct,
their collected personal information.
A “verifiable consumer request” is defined as a request that is submitted to a controller by:
A consumer;
A parent or guardian on behalf of a consumer who is a minor child; or
A person authorized by the consumer to act on the consumer’s behalf.
BILL: CS/SB 262 Page 26
A verifiable consumer request is presumed to have been made when requested through an
established account using the controller’s established security features to access the account
through communication features offered to consumers. However, a controller may not require the
consumer to create or have an account with the controller in order to make a verifiable consumer
request.
Right to Request a Copy of Personal Information that is Collected, Sold, or Shared
The bill grants consumers the right to request an accounting of certain information from a
controller who collects, sells, or shares their personal information. Within 45 calendar days of its
receipt of the request, the controller must respond with the following information in a readily
usable format:
The specific pieces of personal information collected about the consumer;
The categories of sources from which the consumer’s personal information was collected;
The specific pieces of personal information about the consumer that were sold or shared;
The third parties to which the controller sold or shared the consumer’s personal information;
and
The categories of consumer personal information that were disclosed to a processor.
The controller may extend their response period by an additional 45 calendar days (for a total of
90 calendar days) if they inform the consumer of the extension within the first 45 days from
receipt of the request. This right does not apply to information that relates solely to households.
Additionally, the controller is not required to provide the above-requested information more than
twice in a 12-month period.
This right to request a copy of personal information does not otherwise require controllers to
retain, reidentify, or link data that they would not maintain in their ordinary course of business.
Additionally, a controller is permitted to provide the data to the consumer in a manner that does
not disclose the controller’s trade secrets.
Right to Delete and Correct Personal Information
A consumer may request that a controller delete personal information that it collected about the
consumer or about the consumer’s child younger than 18 years old. After the business receives
such a request, it must delete the information and direct any processors the delete the information
within 90 days.
A consumer may request to correct personal information about the consumer or about the
consumer’s child younger than 18 years old that is held by a controller. The controller must use
commercially reasonable efforts to correct the inaccurate information as directed by the
consumer and direct any processor to correct it as well within 90 days of the request. A controller
can allow a consumer to correct information through a self-service mechanism.
Controllers and processors acting pursuant to a contract with the controller are not required to
comply with a request to delete or correct information if it is necessary to:
Complete the transaction for which the personal information was collected; BILL: CS/SB 262 Page 27
Fulfill the terms of a written warranty or product recall that is conducted in accordance with
federal law;
Detect security threats or incidents; protect against malicious, deceptive, fraudulent,
unauthorized, or illegal activity or access; or prosecute those responsible for such activity;
Debug and identify repair errors;
Engage in public or peer-reviewed scientific, historical, or statistical research that is
performed in accordance with applicable ethical standards and privacy laws—only when the
deletion of the consumer’s personal information would render such research impossible or
seriously impaired and where the consumer previously provided informed consent;
Enable solely internal uses that are reasonably aligned with the expectations of the consumer
based on the consumer’s relationship with the controller;
Comply with a legal obligation, including state or federal retention laws;
Reasonably protect the controller’s interests against existing disputes, legal action, or
governmental investigation; or
Assure the physical security of persons or property.
Additionally, a controller and contracted-processor are not required to comply with a request to
delete a consumer’s personal information if it is required to:
Provide a good or service requested by the consumer, or reasonably anticipate the request of
a good or service within the context of the controller’s ongoing business relationship with the
consumer, or otherwise perform a contract between the controller and consumer; or
Engage in public or peer-reviewed research that adheres to applicable ethics and privacy
laws, if the deletion would likely render impossible, or seriously impair the research, and if
the consumer initially provided informed consent.
Right to Opt Out of the Sale or Sharing of Personal Information
The bill creates a “right to opt out,” which allows a consumer to instruct a controller that sells
personal information to a third party not to sell their personal information. A controller must stop
selling and sharing the consumer’s personal information within 4 calendar days after it receives
an opt-out request, and cannot begin to sell or share the consumer personal information again
unless it receives subsequent express authorization. Additionally, a controller is prohibited from
selling or sharing the personal information of a minor consumer if the controller has actual
knowledge that the consumer is not at least 18 years old. However, if a consumer who is between
13 and 18 years old, or if the parent or guardian of a consumer who is 12 years old or younger,
has affirmatively authorized the sale or sharing of such consumer’s personal information, then a
controller may do so pursuant to the requirements under the bill.
The controller must provide a clear and accessible link on its homepage to consumer’s entitled
“Do Not Sell or Share My Personal Information” to allow the consumer to opt out. The
controller cannot require a consumer to create an account. A consumer’s opt out request may
also be made through a user-enabled global privacy control, e.g., a browser plug-in or privacy
setting. Any personal information collected from the consumer in connection with an opt out
request must solely be used to comply with such request. Additionally, a consumer may
authorize another person to opt out on the consumer’s behalf.
BILL: CS/SB 262 Page 28
The controller must respect the consumer’s opt out request for at least 12-months before it can
request the consumer’s authorization of the sale or sharing of consumer personal information
again.
Incentives for Consent to Sell or Share Personal Information
A controller cannot deny goods or services to a consumer because the consumer exercised any
rights under the bill.
A controller can charge a consumer who exercised any of the rights granted by the bill a different
price or rate, or provide a different level or quality of goods or services to the consumer, only if
that difference is:
Reasonably related to the value provided to the controller by the consumer’s data, or
Related to a consumer’s voluntary participation in a financial incentive program, including
loyalty, rewards, premium features, discounts, or club card program that is offered by the
controller.
A controller can offer additional benefits to consumers who participate in the collection, sharing,
sale, or deletion of personal information. This consent must have been granted based on a clear
description of the material terms of the incentive program, and the consumer must be permitted
to revoke his or her consent at any time. The discount or promotional item must be reasonably
related to the value the consumer’s data provides to the business and must not be unjust,
unreasonable, coercive, or usurious.
Surveillance
A controller is prohibited from collecting a consumer’s precise geolocation data or personal
information through the operation of a voice recognition feature, unless the consumer provides
authorization.
Precise geolocation data is information from technology, such as global positioning system level
latitude and longitude coordinates or other mechanisms, which directly identifies the specific
location of a person within a radius of 1,750 feet. However, the term does not include
information generated by the transmission of communications or any information generated by
or connected to advance utility metering infrastructure systems.
A voice recognition feature means the function of a device which enables the collection,
recording, storage, analysis, transmission, interpretation, or other use of spoken words or other
sounds.
Search Engine Transparency
A controller that operates a search engine must provide a consumer with information of how the
controller’s search engine algorithm prioritizes or deprioritizes political partisanship or political
ideology in its search results.
BILL: CS/SB 262 Page 29
Agency Enforcement and Implementation
The Department of Legal Affairs (DLA) may prosecute on behalf of a Florida consumer any
violation of the bill’s provisions as a deceptive and unfair trade practice, pursuant to the Florida
Deceptive and Unfair Trade Practices Act (FDUTPA).
125
The DLA may provide suspected controller, processor, or third party violators a right to cure
their violation by providing written notice of the violation and then allowing a 45-day period to
cure the alleged violation. However, the DLA cannot offer a right to cure based on an alleged
violation that involves a Florida consumer who the controller, processor, or third party has actual
knowledge is under 18 years old. If the alleged violator cures the violation to the satisfaction of
the DLA, the DLA may issue a letter of guidance. If the violator fails to cure within 45 days, the
DLA may commence enforcement against the controller, processor, or third party.
The court may:
Grant injunctive relief;
126
Award actual damages based on the violation;
127
Award a civil penalty of not more than $50,000 for each willful violation; and
Triple the civil penalty if the violation:
o Involves a Florida consumer who the controller, processor, or third party has actual
knowledge is 18 years of age or younger, or
o Is based on a controller’s, processor’s, or third party’s failure to delete or correct the
consumer’s personal information after receiving a verifiable request to delete or correct,
unless otherwise exempt; or
o Is based on the controller’s, processor’s, or third party’s continued sale or sharing of the
consumer’s personal information after the consumer opted out.
The bill grants the DLA rulemaking authority to implement the bill, including the adoption of
standards for verifiable consumer requests, enforcement, data security, and authorized persons
who may act on a consumer’s behalf. The DLA may employ or use the legal services of outside
counsel and the investigative services of outside personnel. Additionally, the DLA may
collaborate and cooperate with other enforcement authorities of the federal government or other
state governments if such enforcement authorities have restrictions governing confidentiality that
are at least as stringent as the restrictions in this bill.
Liability for a tort, contract claim, or consumer protection claim that is unrelated to an action
brought under the bill does not arise solely from the failure of a controller, processor, or third
party to comply with this bill.
The bill provides that there is not a private cause of action.
125
For the purpose of brining an action pursuant to this bill ss. 501.211 and 501.212, F.S., do not apply.
126
Section 501.207(1), F.S.
127
Section 501.207(1), F.S. BILL: CS/SB 262 Page 30
The bill requires all money recovered by the Attorney General for attorney fees, costs, and
penalties in an action for a violation of this bill must be deposited in the Legal Affairs Revolving
Trust fund.
Report by the Department of Legal Affairs
The bill requires the DLA to submit a report by February 1 each year to the President of the
Senate and the Speaker of the House of Representatives that describes any actions it has
undertaken to enforce the bill. The report must include statistics and relevant information that
details:
The number of complaints received and the categories or types of violations alleged by the
complainant;
The number and type of enforcement actions taken and the outcomes of such action;
The number of complaints resolved without the need for litigation; and
The status of the development and implementation of rules to implement the bill.
Preemption
The bill provides that consumer data privacy is a matter of statewide concern and the bill
supersedes all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city
and county, municipality, or local agency regarding the collection, processing, sharing, or sale of
consumer personal information by a controller or processor. The regulation of the collection,
processing, sharing, or sale of consumer personal information by a controller or processor is
preempted to the state.
Florida Information Protection Act
The bill amends s. 501.171, F.S., to define “biometric information” as an individual's
physiological, biological, or behavioral characteristics that can be used, singly or in combination
with each other or with other identifying data, to establish individual identity. The term includes,
but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and
voice recordings, from which an identifier template, such as a face print, a minutiae template, or
a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and
sleep, health, or exercise data that contain identifying information.
The bill defines “genetic information” as an individual's deoxyribonucleic acid (DNA).
The bill includes biometric information, genetic information, and geolocation in FIPA’s
definition of “personal information” so that covered entities are required to notify the affected
individual, the DLA, and credit reporting agencies of a breach of biometric information or
geolocation paired with an individual’s first name or first initial and last name.
Effective Date
The bill takes effect on July 1, 2023. BILL: CS/SB 262 Page 31
IV. Constitutional Issues:
A. Municipality/County Mandates Restrictions:
None.
B. Public Records/Open Meetings Issues:
None.
C. Trust Funds Restrictions:
None.
D. State Tax or Fee Increases:
None.
E. Other Constitutional Issues:
V. Fiscal Impact Statement:
A. Tax/Fee Issues:
None.
B. Private Sector Impact:
This will likely have wide-ranging impact on how Florida consumers interact with
websites and internet-connected devices.
Businesses will have to adjust their operations to implement the bill’s notice and privacy
requirements. Many of the businesses subject to the bill’s requirements may have already
implemented or are in the process of implementing similar privacy practices based on
legislation in other states, and the E.U.
Search engines will have to provide information to consumers on how the search engine
prioritizes or deprioritizes certain information.
C. Government Sector Impact:
Governmental entities may have to update their policies to reflect the prohibitions in the
bill.
VI. Technical Deficiencies:
None. BILL: CS/SB 262 Page 32
VII. Related Issues:
None.
VIII. Statutes Affected:
The bill substantially amends the following sections of the Florida Statutes: 16.53 and 501.171.
This bill creates the following sections of the Florida Statutes: 112.23 and 501.173.
IX. Additional Information:
A. Committee Substitute – Statement of Substantial Changes:
(Summarizing differences between the Committee Substitute and the prior version of the bill.)
CS by Commerce and Tourism on April 4, 2023:
The committee substitute clarifies that the prohibitions provided in section 1 of the bill do
not apply to a governmental entity that is acting as part of any of the following:
An attempt to remove content that pertains to the commission of a crime or violation
of Florida's public records law; or
An attempt to remove an account that pertains to the commission of a crime or
violation of Florida's public records law.
B. Amendments:
None.
This Senate Bill Analysis does not reflect the intent or official position of the bill’s introducer or the Florida Senate.