# Florida Consumer Privacy Law (FDBR & FIPA)[^about] Florida's Digital Bill of Rights binds only billion-dollar big-tech controllers, but its sensitive-data-sale consent rule, FIPA's 30-day breach-notice duties, and FDUTPA reach nearly every business handling Floridians' data. ## Which privacy laws apply to your business in Florida? {#which-privacy-laws-apply} **Short answer.** For most businesses, the operative Florida privacy laws are the breach statute and the deceptive-practices act — not the headline privacy law. The Florida Digital Bill of Rights (FDBR), effective July 1, 2024, looks comprehensive but defines *controller* so narrowly that only billion-dollar technology companies carry its full obligations: a for-profit entity doing business in Florida that makes more than $1 billion in global gross annual revenue and also derives half its revenue from online advertising, operates a consumer smart-speaker voice-assistant service, or runs an app store offering at least 250,000 applications [^q1-fdbr-controller]. By contrast, the Florida Information Protection Act (FIPA) — the data-security and breach-notification statute — covers essentially any commercial entity that acquires, maintains, stores, or uses personal information, with no size threshold at all [^q1-fipa-covered]. Florida is therefore a two-track state. Track one is the FDBR, Fla. Stat. §§ 501.701–501.722: it applies only to a person that conducts business in Florida or serves Florida residents and that processes or sells personal data, and it exempts state agencies, GLBA financial institutions, HIPAA covered entities and business associates, nonprofits, and postsecondary institutions outright [^q1-fdbr-apply]. Employee and business-contact data is also carved out at the data level, so the FDBR is a consumer statute, not an HR one [^q1-fdbr-hr]. Note one structural sweep: any entity that controls or is controlled by a covered controller is itself a controller, so a small Florida subsidiary of a covered platform inherits the obligations without its own billion-dollar showing. Track two applies to everyone else: FIPA's reasonable-security and breach-notice duties (covered in the breach question below), the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) as the general backstop for privacy-related misstatements, and two children's online statutes with their own scope rules. And one FDBR provision escapes the billion-dollar perimeter entirely — the sensitive-data-sale consent rule, which the next question covers. Most companies that conclude the FDBR does not apply to them still have Florida obligations on these other tracks. ## Can your business sell sensitive data in Florida without consent? {#sensitive-data-sale} **Short answer.** No — and unlike the rest of the FDBR, this rule is not limited to billion-dollar controllers. Section 501.715 reaches any person meeting only the first three elements of the controller definition — a for-profit entity that conducts business in Florida and collects consumers' personal data (or has it collected on its behalf) — and bars it from selling sensitive data without prior consumer consent, with COPPA-tier rules for known children [^q2-sale-rule]. A seller of sensitive data must also post the statute's scripted notice, word for word: "NOTICE: This website may sell your sensitive personal data."[^q2-sale-rule] [^q2-sale-rule] The reach of this rule turns on how broadly Florida defines *sensitive data*: data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to identify a person; all personal data collected from a known child — meaning anyone under 18 in Florida, not under 13; and precise geolocation data [^q2-sensitive-def]. An ordinary app publisher or retailer that monetizes location data or under-18 user data for monetary or other valuable consideration can therefore sit squarely inside an FDBR provision even though it fails the $1 billion test [^q2-sale-def]. The part-wide entity exemptions (GLBA financial institutions, HIPAA covered entities, nonprofits) still apply [^q2-fdbr-exemptions], and the *sale* definition excludes disclosures to processors and disclosures for a product or service requested by the consumer [^q2-sale-def]. No Florida decision or Attorney General guidance has yet construed how far § 501.715 extends in practice, so the conservative reading — any for-profit Florida business selling sensitive data needs prior consent and the posted notice — is the safer planning assumption. For the billion-dollar controllers themselves, the duty goes further: a controller may not process sensitive data at all without consent, and for a known child it needs the child's own affirmative authorization (ages 13 to 18) or COPPA compliance (under 13) [^q2-optin]. > [!NOTE] > **Practice note.** > > Because *sensitive data* includes every piece of personal data collected from a known child under 18 and all precise geolocation data, businesses far outside big tech — mobile games, ad-supported apps, data brokers, loyalty programs — can trip § 501.715 by selling location or under-18 data for consideration. Inventory whether any data flow to a third party involves these categories before assuming the FDBR is someone else's problem [^q2-sensitive-def]. ## What must your Florida privacy policy contain? {#privacy-policy-contents} **Short answer.** If you are an FDBR controller, the statute fixes the contents. Section 501.711 requires a reasonably accessible and clear privacy notice, updated at least annually, that lists the categories of personal data processed (including any sensitive data), the purposes of processing, how consumers exercise and appeal their rights, the categories of data shared with third parties and the categories of those third parties, and a description of the request-submission methods [^q3-notice-contents]. If you are not an FDBR controller, no Florida omnibus statute prescribes a full privacy-policy contents checklist — but FDUTPA declares unfair or deceptive acts in trade or commerce unlawful, so a policy that misstates how you actually collect, use, share, or secure data carries deceptive-practice risk under state law [^q3-fdutpa] and under Section 5 of the FTC Act [^q3-ftc5]. Treat § 501.711(1) as a six-item checklist that must appear on the face of the policy. Three Florida-specific drafting points sit on top of it. First, the annual-update mandate is written into the same sentence as the contents list, so a stale policy is itself a violation rather than a housekeeping lapse. Second, a controller that sells personal data or processes it for targeted advertising must clearly and conspicuously disclose that processing and how to opt out, and a controller that sells sensitive or biometric data must carry the statute's exact scripted sentences — for biometric data: "NOTICE: This website may sell your biometric personal data."[^q3-sale-scripts] [^q3-sale-scripts] Third, new categories of data or new purposes cannot be added silently: collecting more, or using data for more, requires fresh notice consistent with the section [^q3-notice-contents]. The notice also has to match the controller's operating duties. FDBR controllers must limit collection to data that is adequate, relevant, and reasonably necessary for disclosed purposes; maintain reasonable administrative, technical, and physical data-security practices; obtain consent before incompatible processing; avoid unlawful discrimination and rights-based discrimination; and use consent-backed, noncoercive terms for financial incentives [^q3-controller-duties]. They must also adopt a retention schedule that ends use or retention after the initial purpose is satisfied, the collection contract expires or terminates, or two years pass after the consumer's last interaction, unless a statutory retention use applies [^q3-retention]. One niche FDBR disclosure sits outside the privacy policy itself: a controller that operates a search engine must publish, in an easily accessible location that requires no login, a plain-language description of the main ranking parameters, including any prioritization or deprioritization of political partisanship or ideology in results [^q3-search-ranking]. Remember that § 501.715 imposes the sensitive-data sale script on sellers of sensitive data without regard to the controller thresholds (see the sensitive-data question above), so even a non-controller's policy may need that exact sentence. > [!CAUTION] > **Drafting note.** > > The two sale notices are scripted verbatim — the statute says the controller must provide *the following notice* and then supplies the sentence in quotation marks, leaving no room to paraphrase, soften, or reword. Paste the statutory sentences character for character; a reworded equivalent does not satisfy the text [^q3-sale-scripts]. ## What must your contracts with data processors say in Florida? {#vendor-contracts} **Short answer.** For FDBR controllers, a data processing agreement is a statutory requirement with fixed contents: the contract must include clear processing instructions, the nature and purpose of processing, the data types and duration, the parties' rights and obligations, and processor commitments to confidentiality, deletion or return of data, compliance demonstration, cooperation with assessments, and written flow-down of the same requirements to subcontractors [^q4-processor-contract]. The same controllers must also conduct and document *data protection assessments* — written benefit-versus-risk analyses — before five categories of processing: targeted advertising, the sale of personal data, profiling that presents enumerated foreseeable risks, the processing of sensitive data, and any processing presenting a heightened risk of harm to consumers [^q4-dpa]. An assessment prepared for a comparable law can satisfy the duty if its scope and effect are reasonably comparable, and producing one to the Attorney General on request does not waive privilege [^q4-dpa-comparable]. For businesses outside the FDBR there is no Florida omnibus DPA mandate, but vendor terms are not optional in practice: FIPA gives every covered entity's *third-party agents* a hard 10-day duty to report breaches back up to the covered entity [^q4-fipa-agent], and the federal overlay supplies contracting obligations in regulated verticals — the GLBA Safeguards Rule requires financial institutions to bind service providers to safeguards by contract [^q4-glba], and HIPAA requires business-associate agreements before sharing protected health information [^q4-hipaa-baa]. Carrying the FDBR's contract checklist into ordinary vendor agreements — instructions, confidentiality, deletion, audit cooperation, subcontractor flow-down, breach reporting — is the durable approach even where no statute compels it. ## What rights do Florida consumers have over their personal data? {#consumer-rights} **Short answer.** Against FDBR controllers, Florida consumers hold the familiar slate — confirmation and access, correction, deletion of any or all personal data provided by or obtained about them, and portability — plus opt-outs from targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects [^q5-rights]. Florida then adds two opt-outs found in few other states: the right to opt out of the collection or processing of sensitive data, including precise geolocation, and the right to opt out of collection through voice-recognition or facial-recognition features [^q5-rights]. Against businesses outside the FDBR's controller definition, Florida law confers none of these rights. The mechanics are controller-friendly on one axis and strict on another. A controller has 45 days to respond, extendable once by only 15 days — shorter than the 45-day extension common elsewhere — with notice and reasons given inside the initial window [^q5-timing]. Requests are free at least twice a year per consumer [^q5-free-requests]; refusals must come with an appeal path, and the controller must run a conspicuous appeal process with a written, reasoned decision within 60 days [^q5-appeal]. Contract terms that waive or limit these rights are void as against public policy [^q5-waiver]. The FDBR request-method provisions instead require two or more secure, reliable, conspicuously accessible methods and a website mechanism; they do not themselves require universal opt-out preference signals such as Global Privacy Control [^q5-methods]. One device-level rule deserves separate attention: a device with a voice-recognition, facial-recognition, video, audio, or other sensory collection feature may not use those features for surveillance when the consumer is not actively using them, absent express authorization [^q5-surveillance]. For hardware and smart-device makers in the FDBR's perimeter, this is a design constraint, not a notice item. ## When must you notify people of a data breach in Florida? {#breach-notification} **Short answer.** Within 30 days, and the clock is one of the country's strictest. Under FIPA, a *breach of security* means unauthorized *access* of electronic data containing personal information — access alone, not access plus acquisition as many states require [^q6-trigger]. A covered entity must notify each affected Florida resident as expeditiously as practicable but no later than 30 days after determining a breach occurred or having reason to believe one occurred [^q6-individual-notice], and must notify the Department of Legal Affairs within the same 30 days whenever a breach affects 500 or more Floridians. The statute separately allows 15 additional days for the individual notice required under subsection (4) if good cause is provided in writing to the department within the first 30 days [^q6-ag-notice]. *Personal information* under FIPA is a name combined with a Social Security number, government-issued ID number, financial-account or card number with its access code, medical-history or health-insurance identifiers, biometric data, or — distinctively — any information regarding the individual's geolocation; a username or email with a password or security answer also qualifies on its own [^q6-pi-def]. Biometric data and geolocation were added to the definition by the same 2023 act that created the FDBR, so a leak of location logs can now be a reportable Florida breach. Encrypted or properly de-identified data is excluded. FIPA is also a security and records-disposal statute, not only a notification law. Covered entities, governmental entities, and third-party agents must take reasonable measures to protect and secure electronic data containing personal information, and covered entities or third-party agents must use reasonable disposal measures when customer records containing personal information no longer need to be retained [^q6-security-disposal]. Vendors are on a faster clock than their customers: a third-party agent that maintains data on a covered entity's behalf must notify the covered entity within 10 days of determining a breach, after which the covered entity owes the individual and regulator notices [^q6-agent]. Notice to nationwide consumer reporting agencies is required when more than 1,000 individuals are notified at once [^q6-cra]. The stakes for missing the deadlines are explicit: late or absent notice draws civil penalties that escalate from $1,000 per day to a cap of $500,000 per breach [^q6-penalty]. There is a risk-of-harm off-ramp, but it is paperwork-heavy: individual notice is excused only if, after investigation and consultation with law enforcement, the entity reasonably determines the breach will not likely result in identity theft or other financial harm — and that determination must be written, kept for five years, and filed with the department within 30 days [^q6-waiver]. > [!NOTE] > **Practice note.** > > Florida's *unauthorized access* trigger can start the 30-day clock even when forensics cannot show data was actually taken — access to the data is the statutory event, and only a documented written determination of no likely identity theft or financial harm, filed with the Department of Legal Affairs, excuses individual notice [^q6-trigger] [^q6-waiver]. Build the written-determination step into the incident-response plan rather than treating no proof of exfiltration as the end of the analysis. ## What special rules protect children and teens online in Florida? {#childrens-online-rules} **Short answer.** Two statutes, with different targets. Section 501.1735 governs *online platforms* — social media platforms, online games, and gaming platforms — whose services are likely to be predominantly accessed by children (anyone under 18), and bars them from processing children's personal information when the platform knows or willfully disregards that the processing may result in substantial harm or privacy risk to children [^q7-1735-prohibitions]. Section 501.1736, the 2024 social media law known as HB 3, goes further for younger users: a covered platform must bar minors under 14 from holding accounts [^q7-1736-under14] and may open accounts for 14- and 15-year-olds only with a parent's or guardian's consent [^q7-1736-teens]. Section 501.1735 also restricts profiling of children, bars collecting, selling, sharing, or retaining their personal information beyond what the service requires, forbids dark patterns, and conditions any collection of a child's precise geolocation on strict necessity plus an obvious on-screen sign while collection runs [^q7-1735-prohibitions]. The burden of justifying covered processing is on the platform, not the regulator [^q7-1735-burden]. Violations are enforceable solely by the Department of Legal Affairs at up to $50,000 per violation, tripled where the platform had actual knowledge the child was under 18 [^q7-1735-penalty]. HB 3 layers account-termination duties onto its age rules — terminating under-14 accounts with a 90-day dispute window, honoring termination requests from minors and parents on 5- and 10-business-day clocks, and permanently deleting the terminated minor's personal information [^q7-1736-termination]. Unusually for Florida privacy law, it also gives the minor a direct remedy: a platform that knowingly or recklessly violates the age provisions is liable to the minor account holder for up to $10,000 in damages plus fees [^q7-1736-damages]. One status note matters for compliance planning. A First Amendment challenge to § 501.1736 is pending in federal court: a district court preliminarily enjoined the law's account provisions on June 3, 2025, but the Eleventh Circuit stayed that injunction on November 25, 2025, so the statute is currently enforceable while the appeal proceeds. The merits were argued on March 10, 2026, and no decision had issued as of this note's last review — if the injunction were reinstated, the account provisions would again be blocked, but until then platforms should treat HB 3 as operative law. The challenge targets § 501.1736 only; § 501.1735's platform duties are not the subject of that litigation. ## Who enforces Florida privacy law, and can a consumer sue your business? {#consumer-lawsuit} **Short answer.** The Department of Legal Affairs enforces the FDBR and FIPA, and neither statute gives consumers a private right of action. An FDBR violation is an unfair and deceptive trade practice actionable solely by the department, with civil penalties up to $50,000 per violation, tripled for violations involving a known child, failures to honor authenticated delete or correct requests, or continued selling or sharing after an opt-out [^q8-enforcement]. FIPA violations are treated as unfair or deceptive trade practices in department actions under FDUTPA's public-enforcement section [^q8-fipa-enforcement]. The FDBR states flatly that it creates no private cause of action [^q8-fdbr-nopra], and FIPA says the same [^q8-fipa-nopra]. The private-suit exposure that remains runs through FDUTPA, which lets anyone aggrieved seek declaratory and injunctive relief and lets a person who suffered a loss recover actual damages plus fees [^q8-fdutpa-pra]. Two features of the FDBR's enforcement design deserve attention. First, the cure period is discretionary: after written notice, the department may — not must — grant 45 days to cure, the cure window is unavailable altogether for violations involving known children, and a letter of guidance can strip cure rights for future violations [^q8-cure]. Second, the FDBR expressly switches off FDUTPA's private-remedies and exemption sections for FDBR actions, so plaintiffs cannot bootstrap FDBR violations into private FDUTPA claims [^q8-enforcement]. What FDUTPA does leave open is the ordinary deceptive-practices theory against any business: a privacy policy or marketing statement that misrepresents data practices can ground a private FDUTPA action for actual damages, and the enforcing authority can seek public FDUTPA remedies and civil penalties for willful unfair or deceptive acts [^q8-fdutpa-pra] [^q8-fdutpa-public] [^q8-fdutpa-civil-penalty]. The separate $10,000 minor-account-holder remedy under the social media law is covered in the children's question above. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Florida. This article synthesizes Florida primary law and is not legal advice from a Florida-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^q1-fdbr-controller]: **Fla. Stat. § 501.702(9)** — "(9) ‘Controller’ means: (a) A sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements: 1. Is organized or operated for the profit or financial benefit of its shareholders or owners; 2. Conducts business in this state; 3. Collects personal data about consumers, or is the entity on behalf of which such information is collected; 4. Determines the purposes and means of processing personal data about consumers alone or jointly with others; 5. Makes in excess of $1 billion in global gross annual revenues; and 6. Satisfies at least one of the following: a. Derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online; b. Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-subparagraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or c. Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install. (b) Any entity that controls or is controlled by a controller. As used in this paragraph, the term ‘control’ means: 1. Ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a controller; 2. Control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or 3. The power to exercise a controlling influence over the management of a company." *Fla. Stat. § 501.702(9)(a)–(b).* [^q1-fipa-covered]: **Fla. Stat. § 501.171(1)(b)** — "‘Covered entity’ means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For purposes of the notice requirements in subsections (3)-(6), the term includes a governmental entity." *Fla. Stat. § 501.171(1)(b).* [^q1-fdbr-apply]: **Fla. Stat. § 501.703** — "This part applies only to a person who: (a) Conducts business in this state or produces a product or service used by residents of this state; and (b) Processes or engages in the sale of personal data. (2) This part does not apply to any of the following: (a) A state agency or a political subdivision of the state. (b) A financial institution or data subject to Title V, Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq. (c) A covered entity or business associate governed by the privacy, security, and breach notification regulations issued by the United States Department of Health and Human Services, 45 C.F.R. parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq., and the Health Information Technology for Economic and Clinical Health Act, Division A, Title XIII and Division B, Title IV, Pub. L. No. 111-5. (d) A nonprofit organization. (e) A postsecondary education institution." *Fla. Stat. § 501.703(1)–(2).* [^q1-fdbr-hr]: **Fla. Stat. § 501.704(16)** — "(16) Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role." *Fla. Stat. § 501.704(16).* [^q2-sale-rule]: **Fla. Stat. § 501.715** — "(1) A person who meets the requirements of s. 501.702(9)(a)1.-3. for the definition of a controller may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer or, if the sensitive data is of a known child, without processing that data with the affirmative authorization for such processing by a known child who is between 13 and 18 years of age or in accordance with the Children’s Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child under the age of 13. (2) A person in subsection (1) who engages in the sale of personal data that is sensitive data must provide the following notice: ‘NOTICE: This website may sell your sensitive personal data.’" *Fla. Stat. § 501.715(1)–(2).* [^q2-sensitive-def]: **Fla. Stat. § 501.702(31)** — "(31) ‘Sensitive data’ means a category of personal data which includes any of the following: (a) Personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. (b) Genetic or biometric data processed for the purpose of uniquely identifying an individual. (c) Personal data collected from a known child. (d) Precise geolocation data." *Fla. Stat. § 501.702(31).* [^q2-sale-def]: **Fla. Stat. § 501.702(29)** — "(29) ‘Sale of personal data’ means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. The term does not include any of the following: (a) The disclosure of personal data to a processor who processes the personal data on the controller’s behalf. (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer. (c) The disclosure of information that the consumer: 1. Intentionally made available to the general public through a mass media channel; and 2. Did not restrict to a specific audience. (d) The disclosure or transfer of personal data to a third party as an asset that is part of a merger or an acquisition." *Fla. Stat. § 501.702(29).* [^q2-fdbr-exemptions]: **Fla. Stat. § 501.703** — "(2) This part does not apply to any of the following: (a) A state agency or a political subdivision of the state. (b) A financial institution or data subject to Title V, Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq. (c) A covered entity or business associate governed by the privacy, security, and breach notification regulations issued by the United States Department of Health and Human Services, 45 C.F.R. parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq., and the Health Information Technology for Economic and Clinical Health Act, Division A, Title XIII and Division B, Title IV, Pub. L. No. 111-5. (d) A nonprofit organization. (e) A postsecondary education institution." *Fla. Stat. § 501.703(2).* [^q2-optin]: **Fla. Stat. § 501.71(2)(d)** — "(d) Process the sensitive data of a consumer without obtaining the consumer’s consent, or, in the case of processing the sensitive data of a known child, without processing that data with the affirmative authorization for such processing by a known child who is between 13 and 18 years of age or in accordance with the Children’s Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child under the age of 13." *Fla. Stat. § 501.71(2)(d).* [^q3-notice-contents]: **Fla. Stat. § 501.711** — "(1) A controller shall provide consumers with a reasonably accessible and clear privacy notice, updated at least annually, that includes all of the following information: (a) The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller. (b) The purpose of processing personal data. (c) How consumers may exercise their rights under s. 501.705(2), including the process by which a consumer may appeal a controller’s decision with regard to the consumer’s request. (d) If applicable, the categories of personal data that the controller shares with third parties. (e) If applicable, the categories of third parties with whom the controller shares personal data. (f) A description of the methods specified in s. 501.709 by which consumers can submit requests to exercise their consumer rights under this part. (2) If a controller engages in the sale of personal data that is sensitive data, the controller must provide the following notice: ‘NOTICE: This website may sell your sensitive personal data.’ The notice must be posted in accordance with subsection (1). (3) If a controller engages in the sale of personal data that is biometric data, the controller must provide the following notice: ‘NOTICE: This website may sell your biometric personal data.’ The notice must be posted in accordance with subsection (1). (4) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process. (5) A controller may not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section." *Fla. Stat. § 501.711(1)–(5).* [^q3-fdutpa]: **Fla. Stat. § 501.204** — "Unfair methods of competition, unconscionable acts or practices, and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful." *Fla. Stat. § 501.204(1).* [^q3-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q3-sale-scripts]: **Fla. Stat. § 501.711(2)–(4)** — "(2) If a controller engages in the sale of personal data that is sensitive data, the controller must provide the following notice: ‘NOTICE: This website may sell your sensitive personal data.’ The notice must be posted in accordance with subsection (1). (3) If a controller engages in the sale of personal data that is biometric data, the controller must provide the following notice: ‘NOTICE: This website may sell your biometric personal data.’ The notice must be posted in accordance with subsection (1). (4) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process." *Fla. Stat. § 501.711(2)–(4).* [^q3-controller-duties]: **Fla. Stat. § 501.71(1)–(2)** — "(1) A controller shall: (a) Limit the collection of personal data to data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed, as disclosed to the consumer; and (b) For purposes of protecting the confidentiality, integrity, and accessibility of personal data, establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue. (2) A controller may not do any of the following: (a) Except as otherwise provided by this part, process personal data for a purpose that is neither reasonably necessary nor compatible with the purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent. (b) Process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers. (c) Discriminate against a consumer for exercising any of the consumer rights contained in this part, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer. A controller may offer financial incentives, including payments to consumers as compensation, for processing of personal data if the consumer gives the controller prior consent that clearly describes the material terms of the financial incentive program and provided that such incentive practices are not unjust, unreasonable, coercive, or usurious in nature. The consent may be revoked by the consumer at any time." *Fla. Stat. § 501.71(1)–(2)(c).* [^q3-retention]: **Fla. Stat. § 501.719(3)** — "(3) A controller or processor shall adopt and implement a retention schedule that prohibits the use or retention of personal data not subject to an exemption by the controller or processor after the satisfaction of the initial purpose for which such information was collected or obtained, after the expiration or termination of the contract pursuant to which the information was collected or obtained, or 2 years after the consumer’s last interaction with the controller or processor. This subsection does not apply to personal data reasonably used or retained to do any of the following: (a) Provide a good or service requested by the consumer, or reasonably anticipate the request of such good or service within the context of a controller’s ongoing business relationship with the consumer. (b) Debug to identify and repair errors that impair existing intended functionality. (c) Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the controller or that are compatible with the context in which the consumer provided the information." *Fla. Stat. § 501.719(3).* [^q3-search-ranking]: **Fla. Stat. § 501.71(4)** — "(4) A controller that operates a search engine shall make available, in an easily accessible location on the web page which does not require a consumer to log in or register to read, an up-to-date, plain language description of the main parameters that are individually or collectively the most significant in determining ranking and the relative importance of those main parameters, including the prioritization or deprioritization of political partisanship or political ideology in search results." *Fla. Stat. § 501.71(4).* [^q4-processor-contract]: **Fla. Stat. § 501.712(2)** — "(2) A contract between a controller and a processor governs the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract must include all of the following information: (a) Clear instructions for processing data. (b) The nature and purpose of processing. (c) The type of data subject to processing. (d) The duration of processing. (e) The rights and obligations of both parties. (f) A requirement that the processor: 1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; 2. At the controller’s direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law; 3. Make available to the controller, upon reasonable request, all information in the processor’s possession necessary to demonstrate the processor’s compliance with this part; 4. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; and 5. Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data." *Fla. Stat. § 501.712(2).* [^q4-dpa]: **Fla. Stat. § 501.713(1)** — "(1) A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data: (a) The processing of personal data for purposes of targeted advertising. (b) The sale of personal data. (c) The processing of personal data for purposes of profiling if the profiling presents a reasonably foreseeable risk of: 1. Unfair or deceptive treatment of or unlawful disparate impact on consumers; 2. Financial, physical, or reputational injury to consumers; 3. A physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or 4. Other substantial injury to consumers. (d) The processing of sensitive data. (e) Any processing activities involving personal data which present a heightened risk of harm to consumers. (2) A data protection assessment conducted under subsection (1) must do all of the following: (a) Identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. (b) Factor into the assessment: 1. The use of deidentified data; 2. The reasonable expectations of consumers; 3. The context of the processing; and 4. The relationship between the controller and the consumer whose personal data will be processed." *Fla. Stat. § 501.713(1)–(2).* [^q4-dpa-comparable]: **Fla. Stat. § 501.713(3), (5)** — "(3) The disclosure of a data protection assessment in compliance with a request from the Attorney General pursuant to s. 501.72 does not constitute a waiver of attorney-client privilege or work-product protection with respect to the assessment and any information contained in the assessment. (4) A single data protection assessment may address a comparable set of processing operations which include similar activities. (5) A data protection assessment conducted by a controller for the purpose of compliance with any other law or regulation may constitute compliance with the requirements of this section if the assessment has a reasonably comparable scope and effect." *Fla. Stat. § 501.713(3)–(5).* [^q4-fipa-agent]: **Fla. Stat. § 501.171(6)(a)** — "(a) In the event of a breach of security of a system maintained by a third-party agent, such third-party agent shall notify the covered entity of the breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. Upon receiving notice from a third-party agent, a covered entity shall provide notices required under subsections (3) and (4). A third-party agent shall provide a covered entity with all information that the covered entity needs to comply with its notice requirements." *Fla. Stat. § 501.171(6)(a).* [^q4-glba]: **GLBA Safeguards Rule** — "(f) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards." *16 C.F.R. § 314.4(f).* [^q4-hipaa-baa]: **HIPAA Business Associate Contracts** — "(2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;" *45 C.F.R. § 164.504(e)(2)(i)–(ii)(B).* [^q5-rights]: **Fla. Stat. § 501.705(2)** — "(2) A controller shall comply with an authenticated consumer request to exercise any of the following rights: (a) To confirm whether a controller is processing the consumer’s personal data and to access the personal data. (b) To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. (c) To delete any or all personal data provided by or obtained about the consumer. (d) To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format. (e) To opt out of the processing of the personal data for purposes of: 1. Targeted advertising; 2. The sale of personal data; or 3. Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer. (f) To opt out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data. (g) To opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature." *Fla. Stat. § 501.705(2).* [^q5-timing]: **Fla. Stat. § 501.706(2)** — "(2) A controller shall respond to the consumer request without undue delay, which may not be later than 45 days after the date of receipt of the request. The controller may extend the response period once by an additional 15 days when reasonably necessary, taking into account the complexity and number of the consumer’s requests, so long as the controller informs the consumer of the extension within the initial 45-day response period, together with the reason for the extension." *Fla. Stat. § 501.706(2).* [^q5-free-requests]: **Fla. Stat. § 501.706(5)** — "(5) A controller shall provide information or take action in response to a consumer request free of charge, at least twice annually per consumer. If a request from a consumer is manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request. The controller bears the burden of demonstrating for purposes of this subsection that a request is manifestly unfounded, excessive, or repetitive." *Fla. Stat. § 501.706(5).* [^q5-appeal]: **Fla. Stat. § 501.707** — "(1) A controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision under s. 501.706(3). (2) The appeal process must be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under s. 501.705. (3) A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal under this section within 60 days after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision." *Fla. Stat. § 501.707.* [^q5-waiver]: **Fla. Stat. § 501.708** — "Any provision of a contract or agreement which waives or limits in any way a consumer right described by s. 501.705, s. 501.706, or s. 501.707 is contrary to public policy and is void and unenforceable." *Fla. Stat. § 501.708.* [^q5-methods]: **Fla. Stat. § 501.709** — "(1) A controller shall establish two or more methods to enable consumers to submit a request to exercise their consumer rights under this part. The methods must be secure, reliable, and clearly and conspicuously accessible. The methods must take all of the following into account: (a) The ways in which consumers normally interact with the controller. (b) The necessity for secure and reliable communications of these requests. (c) The ability of the controller to authenticate the identity of the consumer making the request. (2) A controller may not require a consumer to create a new account to exercise the consumer’s rights under this part but may require a consumer to use an existing account. (3) A controller shall provide a mechanism on its website for a consumer to submit a request for information required to be disclosed under this part. A controller that operates exclusively online and has a direct relationship with a consumer from whom the controller collects personal data may also provide an e-mail address for the submission of requests." *Fla. Stat. § 501.709.* [^q5-surveillance]: **Fla. Stat. § 501.705(3)** — "(3) A device that has a voice recognition feature, a facial recognition feature, a video recording feature, an audio recording feature, or any other electronic, visual, thermal, or olfactory feature that collects data may not use those features for the purpose of surveillance by the controller, processor, or affiliate of a controller or processor when such features are not in active use by the consumer, unless otherwise expressly authorized by the consumer." *Fla. Stat. § 501.705(3).* [^q6-trigger]: **Fla. Stat. § 501.171(1)(a)** — "‘Breach of security’ or ‘breach’ means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use." *Fla. Stat. § 501.171(1)(a).* [^q6-individual-notice]: **Fla. Stat. § 501.171(4)(a)** — "A covered entity shall give notice to each individual in this state whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach. Notice to individuals shall be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to a delay authorized under paragraph (b) or waiver under paragraph (c)." *Fla. Stat. § 501.171(4)(a).* [^q6-ag-notice]: **Fla. Stat. § 501.171(3)(a)** — "A covered entity shall provide notice to the department of any breach of security affecting 500 or more individuals in this state. Such notice must be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. A covered entity may receive 15 additional days to provide notice as required in subsection (4) if good cause for delay is provided in writing to the department within 30 days after determination of the breach or reason to believe a breach occurred." *Fla. Stat. § 501.171(3)(a).* [^q6-pi-def]: **Fla. Stat. § 501.171(1)(g)** — "(g)1. ‘Personal information’ means either of the following: a. An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual: (I) A social security number; (II) A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity; (III) A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account; (IV) Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (V) An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; (VI) An individual’s biometric data as defined in s. 501.702; or (VII) Any information regarding an individual’s geolocation. b. A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. 2. The term does not include information about an individual that has been made publicly available by a federal, state, or local governmental entity. The term also does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable." *Fla. Stat. § 501.171(1)(g).* [^q6-security-disposal]: **Fla. Stat. § 501.171(2), (8)** — "(2) REQUIREMENTS FOR DATA SECURITY.—Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information. (3) NOTICE TO DEPARTMENT OF SECURITY BREACH.— (a) A covered entity shall provide notice to the department of any breach of security affecting 500 or more individuals in this state. Such notice must be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. A covered entity may receive 15 additional days to provide notice as required in subsection (4) if good cause for delay is provided in writing to the department within 30 days after determination of the breach or reason to believe a breach occurred. (b) The written notice to the department must include: 1. A synopsis of the events surrounding the breach at the time notice is provided. 2. The number of individuals in this state who were or potentially have been affected by the breach. 3. Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services. 4. A copy of the notice required under subsection (4) or an explanation of the other actions taken pursuant to subsection (4). 5. The name, address, telephone number, and e-mail address of the employee or agent of the covered entity from whom additional information may be obtained about the breach. (c) The covered entity must provide the following information to the department upon its request: 1. A police report, incident report, or computer forensics report. 2. A copy of the policies in place regarding breaches. 3. Steps that have been taken to rectify the breach. (d) A covered entity may provide the department with supplemental information regarding a breach at any time. (e) For a covered entity that is the judicial branch, the Executive Office of the Governor, the Department of Financial Services, or the Department of Agriculture and Consumer Services, in lieu of providing the written notice to the department, the covered entity may post the information described in subparagraphs (b)1.-4. on an agency-managed website. (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.— (a) A covered entity shall give notice to each individual in this state whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach. Notice to individuals shall be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to a delay authorized under paragraph (b) or waiver under paragraph (c). (b) If a federal, state, or local law enforcement agency determines that notice to individuals required under this subsection would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay as of a specified date or extend the period set forth in the original request made under this paragraph to a specified date if further delay is necessary. (c) Notwithstanding paragraph (a), notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The covered entity shall provide the written determination to the department within 30 days after the determination. (d) The notice to an affected individual shall be by one of the following methods: 1. Written notice sent to the mailing address of the individual in the records of the covered entity; or 2. E-mail notice sent to the e-mail address of the individual in the records of the covered entity. (e) The notice to an individual with respect to a breach of security shall include, at a minimum: 1. The date, estimated date, or estimated date range of the breach of security. 2. A description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security. 3. Information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual. (f) A covered entity required to provide notice to an individual may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $250,000, because the affected individuals exceed 500,000 persons, or because the covered entity does not have an e-mail address or mailing address for the affected individuals. Such substitute notice shall include the following: 1. A conspicuous notice on the Internet website of the covered entity if the covered entity maintains a website; and 2. Notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside. (g) Notice provided pursuant to rules, regulations, procedures, or guidelines established by the covered entity’s primary or functional federal regulator is deemed to be in compliance with the notice requirement in this subsection if the covered entity notifies affected individuals in accordance with the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator in the event of a breach of security. Under this paragraph, a covered entity that timely provides a copy of such notice to the department is deemed to be in compliance with the notice requirement in subsection (3). (5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered entity discovers circumstances requiring notice pursuant to this section of more than 1,000 individuals at a single time, the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing, distribution, and content of the notices. (6) NOTICE BY THIRD-PARTY AGENTS; DUTIES OF THIRD-PARTY AGENTS; NOTICE BY AGENTS.— (a) In the event of a breach of security of a system maintained by a third-party agent, such third-party agent shall notify the covered entity of the breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. Upon receiving notice from a third-party agent, a covered entity shall provide notices required under subsections (3) and (4). A third-party agent shall provide a covered entity with all information that the covered entity needs to comply with its notice requirements. (b) An agent may provide notice as required under subsections (3) and (4) on behalf of the covered entity; however, an agent’s failure to provide proper notice shall be deemed a violation of this section against the covered entity. (7) ANNUAL REPORT.—By February 1 of each year, the department shall submit a report to the President of the Senate and the Speaker of the House of Representatives describing the nature of any reported breaches of security by governmental entities or third-party agents of governmental entities in the preceding calendar year along with recommendations for security improvements. The report shall identify any governmental entity that has violated any of the applicable requirements in subsections (2)-(6) in the preceding calendar year. (8) REQUIREMENTS FOR DISPOSAL OF CUSTOMER RECORDS.—Each covered entity or third-party agent shall take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means." *Fla. Stat. § 501.171(2), (8).* [^q6-agent]: **Fla. Stat. § 501.171(6)(a)** — "In the event of a breach of security of a system maintained by a third-party agent, such third-party agent shall notify the covered entity of the breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. Upon receiving notice from a third-party agent, a covered entity shall provide notices required under subsections (3) and (4)." *Fla. Stat. § 501.171(6)(a).* [^q6-cra]: **Fla. Stat. § 501.171(5)** — "(5) NOTICE TO CREDIT REPORTING AGENCIES.—If a covered entity discovers circumstances requiring notice pursuant to this section of more than 1,000 individuals at a single time, the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p), of the timing, distribution, and content of the notices." *Fla. Stat. § 501.171(5).* [^q6-penalty]: **Fla. Stat. § 501.171(9)(b)** — "(b) In addition to the remedies provided for in paragraph (a), a covered entity that violates subsection (3) or subsection (4) shall be liable for a civil penalty not to exceed $500,000, as follows: 1. In the amount of $1,000 for each day up to the first 30 days following any violation of subsection (3) or subsection (4) and, thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days. 2. If the violation continues for more than 180 days, in an amount not to exceed $500,000. The civil penalties for failure to notify provided in this paragraph apply per breach and not per individual affected by the breach." *Fla. Stat. § 501.171(9)(b).* [^q6-waiver]: **Fla. Stat. § 501.171(4)(c)** — "Notwithstanding paragraph (a), notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The covered entity shall provide the written determination to the department within 30 days after the determination." *Fla. Stat. § 501.171(4)(c).* [^q7-1735-prohibitions]: **Fla. Stat. § 501.1735(2)** — "(2) PROHIBITIONS.—An online platform that provides an online service, product, game, or feature likely to be predominantly accessed by children may not: (a) Process the personal information of any child if the online platform has actual knowledge of or willfully disregards that the processing may result in substantial harm or privacy risk to children. (b) Profile a child unless both of the following criteria are met: 1. The online platform can demonstrate it has appropriate safeguards in place to protect children. 2.a. Profiling is necessary to provide the online service, product, or feature requested for the aspects of the online service, product, or feature with which the child is actively and knowingly engaged; or b. The online platform can demonstrate a compelling reason that profiling does not pose a substantial harm or privacy risk to children. (c) Collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged unless the online platform can demonstrate a compelling reason that collecting, selling, sharing, or retaining the personal information does not pose a substantial harm or privacy risk to children. (d) Use personal information of a child for any reason other than the reason for which the personal information was collected, unless the online platform can demonstrate a compelling reason that the use of the personal information does not pose a substantial harm or privacy risk to children. (e) Collect, sell, or share any precise geolocation data of children unless the collection of the precise geolocation data is strictly necessary for the online platform to provide the service, product, or feature requested and then only for the limited time that the collection of the precise geolocation data is necessary to provide the service, product, or feature. (f) Collect any precise geolocation data of a child without providing an obvious sign to the child for the duration of the collection that the precise geolocation data is being collected. (g) Use dark patterns to lead or encourage children to provide personal information beyond what personal information would otherwise be reasonably expected to be provided for that online service, product, game, or feature; to forego privacy protections; or to take any action that the online platform has actual knowledge of or willfully disregards that may result in substantial harm or privacy risk to children. (h) Use any personal information collected to estimate age or age range for any other purpose or retain that personal information longer than necessary to estimate age. The age estimate must be proportionate to the risks and data practice of an online service, product, or feature." *Fla. Stat. § 501.1735(2).* [^q7-1736-under14]: **Fla. Stat. § 501.1736(2)(a)** — "(2)(a) A social media platform shall prohibit a minor who is younger than 14 years of age from entering into a contract with a social media platform to become an account holder." *Fla. Stat. § 501.1736(2)(a).* [^q7-1736-teens]: **Fla. Stat. § 501.1736(3)(a)** — "(3)(a) A social media platform shall prohibit a minor who is 14 or 15 years of age from entering into a contract with a social media platform to become an account holder, unless the minor’s parent or guardian provides consent for the minor to become an account holder." *Fla. Stat. § 501.1736(3)(a).* [^q7-1735-burden]: **Fla. Stat. § 501.1735(3)** — "(3) BURDEN OF PROOF.—If an online platform processes personal information pursuant to subsection (2), the online platform bears the burden of demonstrating that such processing does not violate subsection (2)." *Fla. Stat. § 501.1735(3).* [^q7-1735-penalty]: **Fla. Stat. § 501.1735(4)(a)** — "(a) Any violation of subsection (2) is an unfair and deceptive trade practice actionable under part II of this chapter solely by the department against an online platform. If the department has reason to believe that an online platform is in violation of subsection (2), the department, as the enforcing authority, may bring an action against such online platform for an unfair or deceptive act or practice. For the purpose of bringing an action pursuant to this section, ss. 501.211 and 501.212 do not apply. In addition to other remedies under part II of this chapter, the department may collect a civil penalty of up to $50,000 per violation of this section. Civil penalties may be tripled for any violation involving a Florida child who the online platform has actual knowledge is under 18 years of age." *Fla. Stat. § 501.1735(4)(a).* [^q7-1736-termination]: **Fla. Stat. § 501.1736(2)(b), (3)(b)** — "(b) A social media platform shall: 1. Terminate any account held by an account holder younger than 14 years of age, including accounts that the social media platform treats or categorizes as belonging to an account holder who is likely younger than 14 years of age for purposes of targeting content or advertising, and provide 90 days for an account holder to dispute such termination. Termination must be effective upon the expiration of the 90 days if the account holder fails to effectively dispute the termination. 2. Allow an account holder younger than 14 years of age to request to terminate the account. Termination must be effective within 5 business days after such request. 3. Allow the confirmed parent or guardian of an account holder younger than 14 years of age to request that the minor’s account be terminated. Termination must be effective within 10 business days after such request. 4. Permanently delete all personal information held by the social media platform relating to the terminated account, unless there are legal requirements to maintain such information. (3)(a) A social media platform shall prohibit a minor who is 14 or 15 years of age from entering into a contract with a social media platform to become an account holder, unless the minor’s parent or guardian provides consent for the minor to become an account holder. (b) A social media platform shall: 1. Terminate any account held by an account holder who is 14 or 15 years of age, including accounts that the social media platform treats or categorizes as belonging to an account holder who is likely 14 or 15 years of age for purposes of targeting content or advertising, if the account holder’s parent or guardian has not provided consent for the minor to create or maintain the account. The social media platform shall provide 90 days for an account holder to dispute such termination. Termination must be effective upon the expiration of the 90 days if the account holder fails to effectively dispute the termination. 2. Allow an account holder who is 14 or 15 years of age to request to terminate the account. Termination must be effective within 5 business days after such request. 3. Allow the confirmed parent or guardian of an account holder who is 14 or 15 years of age to request that the minor’s account be terminated. Termination must be effective within 10 business days after such request. 4. Permanently delete all personal information held by the social media platform relating to the terminated account, unless there are legal requirements to maintain such information." *Fla. Stat. § 501.1736(2)(b), (3)(b).* [^q7-1736-damages]: **Fla. Stat. § 501.1736(6)(a)** — "(6)(a) A social media platform that knowingly or recklessly violates subsection (2), subsection (3), or, if in effect, subsection (4) is liable to the minor account holder, including court costs and reasonable attorney fees as ordered by the court. Claimants may be awarded up to $10,000 in damages." *Fla. Stat. § 501.1736(6)(a).* [^q8-enforcement]: **Fla. Stat. § 501.72(1)** — "A violation of this part is an unfair and deceptive trade practice actionable under part II of this chapter solely by the Department of Legal Affairs. If the department has reason to believe that a person is in violation of this section, the department may, as the enforcing authority, bring an action against such person for an unfair or deceptive act or practice. For the purpose of bringing an action pursuant to this section, ss. 501.211 and 501.212 do not apply. In addition to other remedies under part II of this chapter, the department may collect a civil penalty of up to $50,000 per violation. Civil penalties may be tripled for any of the following violations: (a) A violation involving a Florida consumer who is a known child. A controller that willfully disregards the consumer’s age is deemed to have actual knowledge of the consumer’s age. (b) Failure to delete or correct the consumer’s personal data pursuant to this section after receiving an authenticated consumer request or directions from a controller to delete or correct such personal data, unless an exception to the requirements to delete or correct such personal data under this section applies. (c) Continuing to sell or share the consumer’s personal data after the consumer chooses to opt out under this part." *Fla. Stat. § 501.72(1).* [^q8-fipa-enforcement]: **Fla. Stat. § 501.171(9)(a)** — "(9) ENFORCEMENT.— (a) A violation of this section shall be treated as an unfair or deceptive trade practice in any action brought by the department under s. 501.207 against a covered entity or third-party agent." *Fla. Stat. § 501.171(9)(a).* [^q8-fdbr-nopra]: **Fla. Stat. § 501.72(8)** — "(8) This part does not establish a private cause of action." *Fla. Stat. § 501.72(8).* [^q8-fipa-nopra]: **Fla. Stat. § 501.171(10)** — "(10) NO PRIVATE CAUSE OF ACTION.—This section does not establish a private cause of action." *Fla. Stat. § 501.171(10).* [^q8-fdutpa-pra]: **Fla. Stat. § 501.211** — "Without regard to any other remedy or relief to which a person is entitled, anyone aggrieved by a violation of this part may bring an action to obtain a declaratory judgment that an act or practice violates this part and to enjoin a person who has violated, is violating, or is otherwise likely to violate this part. (2) In any action brought by a person who has suffered a loss as a result of a violation of this part, such person may recover actual damages, plus attorney’s fees and court costs as provided in s. 501.2105." *Fla. Stat. § 501.211.* [^q8-cure]: **Fla. Stat. § 501.72(2)** — "(2) After the department has notified a person in writing of an alleged violation, the department may grant a 45-day period to cure the alleged violation and issue a letter of guidance. The 45-day cure period does not apply to an alleged violation of paragraph (1)(a). The department may consider the number and frequency of violations, the substantial likelihood of injury to the public, and the safety of persons or property in determining whether to grant 45 calendar days to cure and the issuance of a letter of guidance. If the alleged violation is cured to the satisfaction of the department and proof of such cure is provided to the department, the department may not bring an action for the alleged violation but, in its discretion, may issue a letter of guidance that indicates that the person will not be offered a 45-day cure period for any future violations. If the person fails to cure the alleged violation within 45 calendar days, the department may bring an action against such person for the alleged violation." *Fla. Stat. § 501.72(2).* [^q8-fdutpa-public]: **Fla. Stat. § 501.207** — "(1) The enforcing authority may bring: (a) An action to obtain a declaratory judgment that an act or practice violates this part. (b) An action to enjoin any person who has violated, is violating, or is otherwise likely to violate, this part. (c) An action on behalf of one or more consumers or governmental entities for the actual damages caused by an act or practice in violation of this part. However, damages are not recoverable under this section against a retailer who has in good faith engaged in the dissemination of claims of a manufacturer or wholesaler without actual knowledge that it violated this part." *Fla. Stat. § 501.207(1).* [^q8-fdutpa-civil-penalty]: **Fla. Stat. § 501.2075** — "Except as provided in s. 501.2077, any person, firm, corporation, association, or entity, or any agent or employee of the foregoing, who is willfully using, or has willfully used, a method, act, or practice declared unlawful under s. 501.204, or who is willfully violating any of the rules of the department adopted under this part, is liable for a civil penalty of not more than $10,000 for each such violation. Willful violations occur when the person knew or should have known that his or her conduct was unfair or deceptive or prohibited by rule. This civil penalty may be recovered in any action brought under this part by the enforcing authority; or the enforcing authority may terminate any investigation or action upon agreement by the person, firm, corporation, association, or entity, or the agent or employee of the foregoing, to pay a stipulated civil penalty." *Fla. Stat. § 501.2075.*