Florida Statutes 501.71 – Controller duties
Current as of: 2024 | Check for updates
|
Other versions
(1) A controller shall:
(a) Limit the collection of personal data to data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed, as disclosed to the consumer; and
Terms Used In Florida Statutes 501.71
- Child: means an individual younger than 18 years of age. See Florida Statutes 501.702
- Consumer: means an individual who is a resident of or is domiciled in this state acting only in an individual or household context. See Florida Statutes 501.702
- Controller: means :(a) A sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:1. See Florida Statutes 501.702
- Known child: means a child under circumstances of which a controller has actual knowledge of, or willfully disregards, the child's age. See Florida Statutes 501.702
- Personal data: means any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. See Florida Statutes 501.702
- processing: means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. See Florida Statutes 501.702
- Search engine: means technology and systems that use algorithms to sift through and index vast third-party websites and content on the Internet in response to search queries entered by a user. See Florida Statutes 501.702
- Sensitive data: means a category of personal data which includes any of the following:
(a) Personal data revealing an individual's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. See Florida Statutes 501.702(b) For purposes of protecting the confidentiality, integrity, and accessibility of personal data, establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.(2) A controller may not do any of the following:(a) Except as otherwise provided by this part, process personal data for a purpose that is neither reasonably necessary nor compatible with the purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.(b) Process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.(c) Discriminate against a consumer for exercising any of the consumer rights contained in this part, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer. A controller may offer financial incentives, including payments to consumers as compensation, for processing of personal data if the consumer gives the controller prior consent that clearly describes the material terms of the financial incentive program and provided that such incentive practices are not unjust, unreasonable, coercive, or usurious in nature. The consent may be revoked by the consumer at any time.(d) Process the sensitive data of a consumer without obtaining the consumer’s consent, or, in the case of processing the sensitive data of a known child, without processing that data with the affirmative authorization for such processing by a known child who is between 13 and 18 years of age or in accordance with the Children’s Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child under the age of 13.(3) Paragraph (2)(c) may not be construed to require a controller to provide a product or service that requires the personal data of a consumer which the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the consumer’s right to opt out under s. 501.705(2) or the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.(4) A controller that operates a search engine shall make available, in an easily accessible location on the web page which does not require a consumer to log in or register to read, an up-to-date, plain language description of the main parameters that are individually or collectively the most significant in determining ranking and the relative importance of those main parameters, including the prioritization or deprioritization of political partisanship or political ideology in search results. Algorithms are not required to be disclosed nor is any other information that, with reasonable certainty, would enable deception of or harm to consumers through the manipulation of search results.