(1) Personal data processed by a controller pursuant to ss. 501.716501.718 may not be processed for any purpose other than those specified in those sections. Personal data processed by a controller pursuant to ss. 501.716501.718 may be processed to the extent that the processing of the data is:

(a) Reasonably necessary and proportionate to the purposes specified in ss. 501.716501.718;

Terms Used In Florida Statutes 501.719

  • Consumer: means an individual who is a resident of or is domiciled in this state acting only in an individual or household context. See Florida Statutes 501.702
  • Contract: A legal written agreement that becomes binding when signed.
  • Controller: means :
    (a) A sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:
    1. See Florida Statutes 501.702
  • Personal data: means any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. See Florida Statutes 501.702
  • processing: means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. See Florida Statutes 501.702
  • Processor: means a person who processes personal data on behalf of a controller. See Florida Statutes 501.702
  • Third party: means a person, other than the consumer, the controller, the processor, or an affiliate of the controller or processor. See Florida Statutes 501.702
(b) Adequate, relevant, and limited to what is necessary in relation to the purposes specified in ss. 501.716501.718; and
(c) Done to assist another controller, processor, or third party with any of the purposes specified in s. 501.716, s. 501.717, or s. 501.718.
(2) A controller or processor that collects, uses, or retains personal data for the purposes specified in s. 501.717(1) must take into account the nature and purpose of such collection, use, or retention. Such personal data is subject to reasonable administrative, technical, and physical measures to protect its confidentiality, integrity, and accessibility and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.
(3) A controller or processor shall adopt and implement a retention schedule that prohibits the use or retention of personal data not subject to an exemption by the controller or processor after the satisfaction of the initial purpose for which such information was collected or obtained, after the expiration or termination of the contract pursuant to which the information was collected or obtained, or 2 years after the consumer‘s last interaction with the controller or processor. This subsection does not apply to personal data reasonably used or retained to do any of the following:

(a) Provide a good or service requested by the consumer, or reasonably anticipate the request of such good or service within the context of a controller’s ongoing business relationship with the consumer.
(b) Debug to identify and repair errors that impair existing intended functionality.
(c) Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the controller or that are compatible with the context in which the consumer provided the information.
(4) A controller or processor that processes personal data pursuant to ss. 501.716501.718 bears the burden of demonstrating that the processing of the personal data qualifies for the exemption and complies with the requirements of this section.
  Previous section
Next section  
 Part V Contents