Online Sunshine Logo
Official Internet Site of the Florida Legislature
February 25, 2024
Text: 'NEW Advanced Legislative Search'
Interpreter Services for the Deaf and Hard of Hearing
Go to MyFlorida House
Go to MyFlorida House
Select Year:  
The Florida Statutes

The 2023 Florida Statutes (including Special Session C)

Title XXXIII
REGULATION OF TRADE, COMMERCE, INVESTMENTS, AND SOLICITATIONS
Chapter 501
CONSUMER PROTECTION
View Entire Chapter
F.S. 501.702
1501.702 Definitions.As used in this part, the term:
(1) “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity or that shares common branding with another legal entity. For purposes of this subsection, the term “control” or “controlled” means any of the following:
(a) The ownership of, or power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company.
(b) The control in any manner over the election of a majority of the directors or of individuals exercising similar functions.
(c) The power to exercise controlling influence over the management of a company.
(2) “Aggregate consumer information” means information that relates to a group or category of consumers from which the identity of an individual consumer has been removed and is not reasonably capable of being directly or indirectly associated or linked with any consumer, household, or device. The term does not include information about a group or category of consumers used to facilitate targeted advertising or the display of ads online. The term does not include personal information that has been deidentified.
(3) “Authenticate” or “authenticated” means to verify or the state of having been verified, respectively, through reasonable means that the consumer who is entitled to exercise the consumer’s rights under s. 501.705 is the same consumer exercising those consumer rights with respect to the personal data at issue.
(4) “Biometric data” means data generated by automatic measurements of an individual’s biological characteristics. The term includes fingerprints, voiceprints, eye retinas or irises, or other unique biological patterns or characteristics used to identify a specific individual. The term does not include physical or digital photographs; video or audio recordings or data generated from video or audio recordings; or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
(5) “Business associate” has the same meaning as in 45 C.F.R. s. 160.103 and the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
(6) “Child” means an individual younger than 18 years of age.
(7) “Consent,” when referring to a consumer, means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative act. The term does not include any of the following:
(a) Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information.
(b) Hovering over, muting, pausing, or closing a given piece of content.
(c) Agreement obtained through the use of dark patterns.
(8) “Consumer” means an individual who is a resident of or is domiciled in this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.
(9) “Controller” means:
(a) A sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:
1. Is organized or operated for the profit or financial benefit of its shareholders or owners;
2. Conducts business in this state;
3. Collects personal data about consumers, or is the entity on behalf of which such information is collected;
4. Determines the purposes and means of processing personal data about consumers alone or jointly with others;
5. Makes in excess of $1 billion in global gross annual revenues; and
6. Satisfies at least one of the following:
a. Derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
b. Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-subparagraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or
c. Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
(b) Any entity that controls or is controlled by a controller. As used in this paragraph, the term “control” means:
1. Ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a controller;
2. Control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or
3. The power to exercise a controlling influence over the management of a company.
(10) “Covered entity” has the same meaning as in 45 C.F.R. s. 160.103 and the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
(11) “Dark pattern” means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decisionmaking, or choice. The term includes any practice the Federal Trade Commission refers to as a dark pattern.
(12) “Decision that produces a legal or similarly significant effect concerning a consumer” means a decision made by a controller which results in the provision or denial by the controller of any of the following:
(a) Financial and lending services.
(b) Housing, insurance, or health care services.
(c) Education enrollment.
(d) Employment opportunities.
(e) Criminal justice.
(f) Access to basic necessities, such as food and water.
(13) “Deidentified data” means data that cannot reasonably be linked to an identified or identifiable individual or a device linked to that individual.
(14) “Health care provider” has the same meaning as in 45 C.F.R. s. 160.103 and the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
(15) “Health record” means any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health care services to an individual which concerns the individual and the services provided. The term includes any of the following:
(a) The substance of any communication made by an individual to a health care provider in confidence during or in connection with the provision of health care services.
(b) Information otherwise acquired by the health care provider about an individual in confidence and in connection with health care services provided to the individual.
(16) “Identified or identifiable individual” means a consumer who can be readily identified, directly or indirectly.
(17) “Known child” means a child under circumstances of which a controller has actual knowledge of, or willfully disregards, the child’s age.
(18) “Nonprofit organization” means any of the following:
(a) An organization exempt from federal taxation under s. 501(a) of the Internal Revenue Code of 1986 by virtue of being listed as an exempt organization under s. 501(c)(3), s. 501(c)(4), s. 501(c)(6), or s. 501(c)(12) of that code.
(b) A political organization.
(19) “Personal data” means any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.
(20) “Political organization” means a party, a committee, an association, a fund, or any other organization, regardless of whether incorporated, organized and operated primarily for the purpose of influencing or attempting to influence any of the following:
(a) The selection, nomination, election, or appointment of an individual to a federal, state, or local public office or an office in a political organization, regardless of whether the individual is selected, nominated, elected, or appointed.
(b) The election of a presidential or vice-presidential elector, regardless of whether the elector is selected, nominated, elected, or appointed.
(21) “Postsecondary education institution” means a Florida College System institution, state university, or nonpublic postsecondary education institution that receives state funds.
(22) “Precise geolocation data” means information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, which directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. The term does not include the content of communications or any data generated by or connected to an advanced utility metering infrastructure system or to equipment for use by a utility.
(23) “Process” or “processing” means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
(24) “Processor” means a person who processes personal data on behalf of a controller.
(25) “Profiling” means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
(26) “Protected health information” has the same meaning as in 45 C.F.R. s. 160.103 and the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
(27) “Pseudonymous data” means any information that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.
(28) “Publicly available information” means information lawfully made available through government records, or information that a business has a reasonable basis for believing is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
(29) “Sale of personal data” means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. The term does not include any of the following:
(a) The disclosure of personal data to a processor who processes the personal data on the controller’s behalf.
(b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer.
(c) The disclosure of information that the consumer:
1. Intentionally made available to the general public through a mass media channel; and
2. Did not restrict to a specific audience.
(d) The disclosure or transfer of personal data to a third party as an asset that is part of a merger or an acquisition.
(30) “Search engine” means technology and systems that use algorithms to sift through and index vast third-party websites and content on the Internet in response to search queries entered by a user. The term does not include the license of search functionality for the purpose of enabling the licensee to operate a third-party search engine service in circumstances where the licensee does not have legal or operational control of the search algorithm, the index from which results are generated, or the ranking order in which the results are provided.
(31) “Sensitive data” means a category of personal data which includes any of the following:
(a) Personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
(b) Genetic or biometric data processed for the purpose of uniquely identifying an individual.
(c) Personal data collected from a known child.
(d) Precise geolocation data.
(32) “State agency” means any department, commission, board, office, council, authority, or other agency in the executive branch of state government created by the State Constitution or state law. The term includes a postsecondary education institution.
(33) “Targeted advertising” means displaying to a consumer an advertisement selected based on personal data obtained from that consumer’s activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer’s preferences or interests. The term does not include an advertisement that is:
(a) Based on the context of a consumer’s current search query on the controller’s own website or online application; or
(b) Directed to a consumer search query on the controller’s own website or online application in response to the consumer’s request for information or feedback.
(34) “Third party” means a person, other than the consumer, the controller, the processor, or an affiliate of the controller or processor.
(35) “Trade secret” has the same meaning as in s. 812.081.
(36) “Voice recognition feature” means the function of a device which enables the collection, recording, storage, analysis, transmission, interpretation, or other use of spoken words or other sounds.
History.s. 5, ch. 2023-201.
1Note.Effective July 1, 2024.