HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: CS/HB 1547 Technology Transparency
SPONSOR(S): Regulatory Reform & Economic Development Subcommittee, McFarland
TIED BILLS: HB 1549 IDEN./SIM. BILLS: CS/SB 262
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY CHIEF
1) Regulatory Reform & Economic Development 15 Y, 0 N, As CS Wright Anstead
Subcommittee
2) Commerce Committee 16 Y, 3 N Wright Hamon
SUMMARY ANALYSIS
Due to the growth in businesses that collect personal information for the purpose of selling targeted advertising on
the Internet, many countries and states have adopted or updated laws relating to the collection and use of pe rsonal
information. Specifically, the European Union, and states like California, Virginia, and Illinois, have enacted data
privacy laws to protect consumers’ personal information.
The bill requires certain businesses to publish a privacy policy for personal information, and defines “personal
information” as information that is linked or reasonably linkable to an identified or identifiable consumer or
household, including biometric information and unique identifiers to the consumer. The term does not incl ude certain
public information, certain employee information, or deidentified or aggregate information.
The bill gives consumers rights related to personal information collected by certain businesses with over $1 billion in
gross annual revenues, including:
 The right to access personal information collected;
 The right to delete or correct personal information; and
 The right to opt-out of the sale or sharing of personal information.
The bill provides that online platforms predominantly accessed by children may not, except under certain situations:
 Process personal information of or profile a child.
 Collect, sell, share, or retain personal information or geolocation of a child.
 Use a child’s personal information for any unstated reason.
 Use dark patterns to obtain more information of a child than necessary.
 Use collected information to estimate age for any other reason.
The bill allows the Department of Legal Affairs (DLA) to enforce such rights by bringing an action against, and
collecting civil penalties from, online platforms or businesses that violate a consumer’s rights as provided in the bill.
A consumer whose personal information has been sold or shared after opting -out, or has been retained after a
request to delete or correct such information may also bring a cause of action on his or her own behalf.
The bill also adds “biometric information or genetic information” and “geolocation” to the definition of “personal
information” under the Florida Information Protection Act. As such, entitie s in possession of such information must
take reasonable measures to protect biometric and genetic information and report data breaches.
The bill provides that certain government employees may not request that a social media platform remove content
or accounts and prohibits a governmental entity from working with a social media platform for the purpose of content
moderation, with certain exceptions.
The bill has no fiscal impact on local governments, and an indeterminate fiscal impact on state government.
The bill has an effective date of July 1, 2023.
This docum ent does not reflect the intent or official position of the bill sponsor or House of Representatives .
STORAGE NAME: h1547c.COM
DATE: 4/24/2023
FULL ANALYSIS
I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Consumer Data Privacy – Current Situation
Florida Deceptive and Unfair Trade Practices Act (FDUTPA)
FDUTPA is a consumer and business protection measure that prohibits unfair methods of competition,
unconscionable acts or practices, and unfair or deceptive acts or practices in trade or commerce. 1
FDUTPA was modeled after the Federal Trade Commission (FTC) Act.2
The DLA or the Office of the State Attorney (SAO) may bring actions on behalf of consumers or
governmental entities when it is a matter of public interest.3 The SAO may enforce violations of
FDUTPA if the violations take place within its jurisdiction. The DLA has enforcement authority when the
violation is multi-jurisdictional, the state attorney defers to the DLA in writing, or the state attorney fails
to act within 90 days after a written complaint is filed.4 In certain circumstances, consumers may also
file suit through private actions.5
The DLA and the SAO have powers to investigate FDUTPA claims, which include: 6
 Administering oaths and affirmations;
 Subpoenaing witnesses or matter; and
 Collecting evidence.
The DLA and the State Attorney, as enforcing authorities, may seek the following remedies:
 Declaratory judgments;
 Injunctive relief;
 Actual damages on behalf of consumers and businesses;
 Cease and desist orders; and
 Civil penalties of up to $10,000 per willful violation. 7
FDUTPA may not be applied to certain entities in certain circumstances, including:8
• Any person or activity regulated under laws administered by the Office of Insurance Regulation
or the Department of Financial Services; or
• Banks, credit unions, and savings and loan associations regulated by the Office of Financial
Regulation or federal agencies.
Consumer Data
1 Ch. 73-124, L.O.F.; s. 501.202, F.S.
2 D. Matthew Allen, et. al., The Federal Character of Florida’s Deceptive and Unfair Trade Practices Act, 65 U. MIAMI L. R EV. 1083
(Summer 2011).
3 S. 501.207(1)(c) and (2), F.S.; see s. 501.203(2), F.S. (defining “enforcing authority” and referring to the office of the state attorney if a
violation occurs in or affects the judicial circuit under the office’s jurisdiction; or the Department of Legal Affairs if the violation occurs in
more than one circuit; or if the office of the state attorney defers to the department in writing; or fails to act within a s pecified period);
see also David J. Federbush, FDUTPA for Civil Antitrust: Additional Conduct, Party, and Geographic Coverage; State Actions for
Consumer Restitution, 76 FLORIDA BAR JOURNAL 52, Dec. 2002 (analyzing the merits of FDUPTA and the potential for deterrence of
anticompetitive conduct in Florida), availab le at
http://www.floridabar.org/divcom/jn/jnjournal01.nsf/c0d731e03de9828d852574580042ae7a/99 aa165b7d8ac8a485256c8300791ec1!Op
enDocument&Highlight=0,business,Division* (last visited on Mar. 25, 2023).
4 S. 501.203(2), F.S.
5 S. 501.211, F.S.
6 S. 501.206(1), F.S.
7 Ss. 501.207(1), 501.208, and 501.2075, F.S. Civil Penalties are deposited into gene ral revenue. Enforcing authorities may also
request attorney fees and costs of investigation or litigation. S. 501.2105, F.S.
8 S. 501.212(4), F.S.
STORAGE NAME: h1547c.COM PAGE: 2
DATE: 4/24/2023
As technologies that capture and analyze data proliferate so do businesses' abilities to contextualize
consumer data. Businesses use such data for a range of purposes, including better understanding day-
to-day operations to increase revenue, making informed business decisions, learning about their
customer base, and tailoring marketing strategies.9
From consumer behavior to predictive analytics, companies regularly capture, store, and analyze large
amounts of quantitative and qualitative data on their consumer base. Some companies have built an
entire business model around consumer data, which may include the company are selling personal
information to a third party or creating targeted ads for specific consumers.10
Generally, the types of consumer data that businesses collect are: 11
• Personal data, which includes personally identifiable information, such as Social Security
numbers and gender, as well as identifiable information, including IP address, web browser
cookies, and device IDs;
• Engagement data, which details how consumers interact with a business's website, mobile
apps, social media pages, emails, paid ads, and customer service routes;
• Behavioral data, which includes transactional details such as purchase histories, product usage
information, and qualitative data; and
• Attitudinal data, which encompasses metrics on consumer satisfaction, purchase criteria,
product desirability, and more.
General Data Protection Regulation (European Union)
In 2016, The European Union passed a broad data privacy law that addressed several areas of
consumer rights and data protection called the General Data Protection Regulation (GDPR). 12 The law
became effective in 2018 and unified the regulatory approach to data privacy across the European
Union. The GDPR has since become a model for other data privacy laws in other countries, including
Chile, Japan, Brazil, South Korea, Argentina, and Kenya.13
Under the GDPR, personal data includes anything that allows a person to be identified. Individuals,
organizations, and companies that are either “controllers” or “processors” of personal data are covered
by the law. Controllers exercise overall control of the purposes and means of processing personal data;
whereas processors act on behalf of, and only on the instructions of, the relevant controller. 14
Before processing or collecting any personal data, a business must explicitly request permission from
the subject or person to do so. The request must use clear language and is commonly referred to as a
data “opt-in.”
The GDPR specifically bans the use of lengthy documents filled with legalese to confuse or frustrate
the consumer. Hiding permissions to collect and use data within a contract’s Terms and Conditions or
Privacy Policy sections is not permissible under the GDPR. Consent must be given for a specific
purpose and must be requested separately from other documents and policy statements. 15
The GDPR requires companies to provide, at the data subject's request, confirmation as to whether
personal data pertaining to them is being processed, where it is being processed, and for what
9 Max Freedman, How Businesses Are Collecting Data (And What They’re Doing With It), Business News Daily (Jun. 17, 2020)
https://www.businessnewsdaily.com/10625-businesses-collecting-data.html (last visited Mar. 25, 2023).
10 Id.
11 Id.
12 European Data Protection Supervisor, The History of the General Data Protection Regulation, https://edps.europa.eu/data-
protection/data-protection/legislation/history-general-data-protection-regulation_en (last visited Mar. 25, 2023).
13 Id.
14 Wired, What is the GDPR? The Summary Guide to GDPR Compliance in the UK, https://www.wired.co.uk/article/what-is-gdpr-uk-eu-
legislation-compliance-summary-fines-2018 (last visited Mar. 25, 2023).
15 TechRepublic, GDPR: A Cheat Sheet, https://www.techrepublic.com/article/the-eu-general-data-protection-regulation-gdpr-the-smart-
persons-guide/ (last visited Mar. 25, 2023).
STORAGE NAME: h1547c.COM PAGE: 3
DATE: 4/24/2023
purpose. A company must also provide, free of charge, a copy of the personal data being processed in
an electronic format to the consumer.16
Under the GDPR, a company must erase all personal data when asked to do so by the subject
consumer. At that point, the company must cease further dissemination of the data and halt all
processing of that consumer’s data. Valid conditions for erasure include situations where the data is no
longer relevant, the original purpose has been satisfied, or a subject consumer withdraws consent.17
The GDPR requires a company to provide mechanisms for a subject to receive any previously provided
personal data in a commonly used and machine-readable format.18
The GDPR allows private rights of action for violations of privacy rights; however, the consumer must
prove any damages in order to receive compensation.19
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The California Consumer Privacy Act of 2018 (CCPA) was passed to give consumers more control over
the personal information that businesses collect. This landmark law granted new privacy rights for
California consumers, including:20
• The right to know about the personal information a business collects, specifically about the
consumer, and how it is used and shared;
• The right to delete personal information collected with some exceptions;
• The right to opt-out of the sale of personal information; and
• The right to non-discrimination for exercising the CCPA rights.
The CCPA applies to for-profit businesses that do business in California that also meet any of the
following:21
• Have a gross annual revenue of over $25 million;
• Buy, receive, or sell the personal information of 50,000 or more California residents,
households, or devices; or
• Derive 50 percent or more of their annual revenue from selling California residents’ personal
information.
Businesses must give consumers certain notices explaining their privacy practices and provide certain
mechanisms to allow consumers to exercise their rights. 22
The law is largely enforced by the Attorney General, and businesses are subject to fines for violating
the law. A consumer may only bring a cause of action against a business if certain categories of
personal information tied to his or her name have been stolen in a nonencrypted and nonredacted
form.23 As of July 2020, approximately 50 suits had been filed pursuant to this provision. 24
The California Privacy Rights Act (CPRA) passed in 2020 as a statewide proposition, though it is not
effective until January 1, 2023. The CPRA amends and expands the CCPA. Specifically dealing with
certain areas of concern with the CCPA, the CPRA created a new agency to handle complaints and
enforcement. The CPRA changes the CCPA by:25
16 Id.
17
Id.
18 Id.
19 Art. 82 of the GDPR.
20 State of California Department of Justice, Office of the Attorney General, California Consumer Privacy Act (CCPA),
https://oag.ca.gov/privacy/ccpa (last visited Mar. 25, 2023).
21 Cal. Civ. Code s. 1798.140.
22 Cal. Civ. Code ss. 1798.130, 1798.135.
23 Cal. Civ. Code ss. 1798.150, 1798.155.
24 Holland & Knight LLP, Litigating the CCPA in Court, Litigating the CCPA in Court | Insights | Holland & Knight (hklaw.com) (last
visited Mar. 25, 2023).
25 Ballotpedia, California Proposition 24, Consumer Personal Information Law and Agency Initiative (2020),
https://ballotpedia.org/California_Proposition_24,_Consumer_Personal_Information_Law_and_Agency_Initiative_(2020) (last visited
Mar. 25, 2023).
STORAGE NAME: h1547c.COM PAGE: 4
DATE: 4/24/2023
• Allowing a consumer to:
o Prevent businesses from sharing his or her personal information;
o Correct inaccurate personal information; and
o Limit businesses’ use of “sensitive personal information”—including precise geolocation;
race; ethnicity; religion; genetic data; private communications; sexual orientation; and
specified health information;
• Establishing California Privacy Protection Agency to additionally enforce and implement
consumer privacy laws and impose fines;
• Changing criteria for which businesses must comply with laws by:
o Doubling the CCPA’s threshold number of consumers or households from 50,000 to
100,000, resulting in reduced applicability of the law to small and midsize businesses;
o Expanding applicability to businesses that generate most of their revenue from sharing
personal information, not merely selling it; and
o Extending the definition to joint ventures or partnerships composed of businesses that
each have at least a 40 percent interest.
• Prohibiting businesses’ retention of personal information for longer than reasonably necessary;
• Tripling maximum penalties for violations concerning consumers under age 16; and
• Authorizing civil penalties for theft of consumer login information.
California Age-Appropriate Design Code Act
In 2022, California adopted the California Age-Appropriate Design Code Act (CAADCA), an
amendment to the CPRA,26 legislation modelled on the United Kingdom’s Age Appropriate Design
Code,27 which requires online platforms to adhere to strict default privacy and safety settings that
protect the best interest of children.28 CAADCA covers children under 18 years of age and will be
effective July 1, 2024.29
CAADCA requires certain businesses that provide an online service, product, or feature that is likely to
be accessed by children to comply with several new requirements and restrictions, including:30
 Prohibitions on using any personal information that it knows or should know is materially
detrimental to a child’s physical or mental health