Florida Statutes 501.713 – Data protection assessments
Current as of: 2023 | Check for updates
|
Other versions
(1) A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data:
(a) The processing of personal data for purposes of targeted advertising.
Terms Used In Florida Statutes 501.713
- Consumer: means an individual who is a resident of or is domiciled in this state acting only in an individual or household context. See Florida Statutes 501.702
- Controller: means :(a) A sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:1. See Florida Statutes 501.702
- Deidentified data: means data that cannot reasonably be linked to an identified or identifiable individual or a device linked to that individual. See Florida Statutes 501.702
- Personal data: means any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. See Florida Statutes 501.702
- processing: means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. See Florida Statutes 501.702
- Profiling: means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. See Florida Statutes 501.702
- Sale of personal data: means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. See Florida Statutes 501.702
- Sensitive data: means a category of personal data which includes any of the following:
(a) Personal data revealing an individual's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. See Florida Statutes 501.702- Targeted advertising: means displaying to a consumer an advertisement selected based on personal data obtained from that consumer's activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer's preferences or interests. See Florida Statutes 501.702
(b) The sale of personal data.(c) The processing of personal data for purposes of profiling if the profiling presents a reasonably foreseeable risk of:1. Unfair or deceptive treatment of or unlawful disparate impact on consumers;2. Financial, physical, or reputational injury to consumers;3. A physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or4. Other substantial injury to consumers.(d) The processing of sensitive data.(e) Any processing activities involving personal data which present a heightened risk of harm to consumers.(2) A data protection assessment conducted under subsection (1) must do all of the following:(a) Identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.(b) Factor into the assessment:1. The use of deidentified data;2. The reasonable expectations of consumers;3. The context of the processing; and4. The relationship between the controller and the consumer whose personal data will be processed.(3) The disclosure of a data protection assessment in compliance with a request from the Attorney General pursuant to s. 501.72 does not constitute a waiver of attorney-client privilege or work-product protection with respect to the assessment and any information contained in the assessment.(4) A single data protection assessment may address a comparable set of processing operations which include similar activities.(5) A data protection assessment conducted by a controller for the purpose of compliance with any other law or regulation may constitute compliance with the requirements of this section if the assessment has a reasonably comparable scope and effect.(6) This section applies only to processing activities generated on or after July 1, 2023.