Page 249 - GDPR and US States General Privacy Laws Deskbook
P. 249
Section 17. Section 501.714, Florida Statutes, is created to read:
501.714 (1) (2) (3) (4) Deidentified data, pseudonymous data, and aggregate consumer information.
A controller in possession of deidentified data shall do all of the following:
(a) Take reasonable measures to ensure that the data cannot be associated with an individual.
(b) Maintain and use the data in deidentified form. A controller may not attempt to reidentify the data, except that the
controller may attempt to reidentify the data solely for the purpose of determining whether its deidentification
processes satisfy the requirements of this section.
(c) Contractually obligate any recipient of the deidentified data to comply with this part.
(d) Implement business processes to prevent the inadvertent release of deidentified data.
This part may not be construed to require a controller or processor to do any of the following:
(a) Reidentify deidentified data or pseudonymous data.
(b) Maintain data in an identifiable form or obtain, retain, or access any data or technology for the purpose of allowing
the controller or processor to associate a consumer request with personal data.
(c) Comply with an authenticated consumer rights request under s. 501.705 if the controller:
1. Is not reasonably capable of associating the request with the personal data or it would be unreasonably
burdensome for the controller to associate the request with the personal data;
2. Does not use the personal data to recognize or respond to the specific consumer who is the subject of the
personal data or associate the personal data with other personal data about the same specific consumer; and
3. Does not sell the personal data to a third party or otherwise voluntarily disclose the personal data to a third
party other than a processor, except as otherwise authorized by this section.
The consumer rights enumerated under s. 501.705(2), and controller duties imposed under s. 501.71, do not apply
to pseudonymous data or aggregate consumer information in cases in which the controller is able to demonstrate
that any information necessary to identify the consumer is kept separate and is subject to effective technical and
organizational controls that prevent the controller from accessing the information.
A controller that discloses pseudonymous data, deidentified data, or aggregate consumer information shall exercise
reasonable oversight to monitor compliance with any contractual commitments to which the data or information is
subject and shall take appropriate steps to address any breach of the contractual commitments.
Section 18. Section 501.715, Florida Statutes, is created to read:
501.715 Requirements for sensitive data.—
(1) (2) (3) A person who meets the requirements of s. 501.702(9)(a)1., (a)2., and (a)3. for the definition of a controller may not
engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer or, if the
sensitive data is of a known child, without processing that data with the affirmative authorization for such processing
by a known child who is between 13 and 18 years of age or in accordance with the Children’s Online Privacy Protection
Act, 15 U.S.C. ss. 6501 et seq. for a known child under the age of 13.
A person in subsection (1) who engages in the sale of personal data that is sensitive data must provide the following
notice: “NOTICE: This website may sell your sensitive personal data.”
A person who violates this section is subject to the penalty imposed under s. 501.72.
249 | Florida Technology Transparency