Domestic Privacy Profile: Florida

1
Domestic
Privacy Proﬁle:
Florida
Prepared in cooperation with
Alfred J. Saikali
Shook, Hardy & Bacon LLP, Miami

Reproduced with permission from Bloomberg Law: Privacy & Data Security, http://www.bna.com/bloomberg-law-
privacy-data-security/. Copyright © 2018 The Bureau of National Affairs, Inc., 1801 S. Bell Street, Arlington, VA
22202 (800.372.1033), http://www.bna.com.
Domestic Privacy Profile: FLORIDA
Alfred J. Saikali, of Shook, Hardy & Bacon LLP, Miami, provided expert review of the Florida Profile and
wrote the Risk Environment section. [Last updated January 2018. — Ed.]
TABLE OF CONTENTS
I. APPLICABLE LAWS AND REGULATIONS...................................................................................................................................... 3
A. Constitutional Provisions........................................................................................................................................................ 3
B. Personal Data Protection Provisions...................................................................................................................................... 3
1. Who is covered?........................................................................................................................................................... 3
2. What is covered?.......................................................................................................................................................... 3
3. Who must comply? ....................................................................................................................................................... 4
C. Data Management Provisions................................................................................................................................................ 4
1. Notice & Consent.......................................................................................................................................................... 4
2. Collection & Use ........................................................................................................................................................... 4
3. Disclosure to Third Parties............................................................................................................................................ 4
4. Data Storage ................................................................................................................................................................ 4
5. Access & Correction ..................................................................................................................................................... 5
6. Data Security................................................................................................................................................................ 5
7. Data Disposal ............................................................................................................................................................... 5
8. Data Breach.................................................................................................................................................................. 5
9. Data Transfer & Cloud Computing................................................................................................................................ 7
10. Other Provisions ......................................................................................................................................................... 8
D. Specific Types of Data........................................................................................................................................................... 8
1. Biometric Data .............................................................................................................................................................. 8
2. Consumer Data ............................................................................................................................................................ 8
3. Credit Card Data........................................................................................................................................................... 8
4. Credit Reports .............................................................................................................................................................. 8
5. Criminal Records .......................................................................................................................................................... 9
6. Drivers' Licenses/Motor Vehicle Records ..................................................................................................................... 9
7. Electronic Communications/Social Media Accounts ................................................................................................... 10
8. Financial Information .................................................................................................................................................. 11
9. Health Data................................................................................................................................................................. 11
10. Social Security Numbers .......................................................................................................................................... 15
11. Usernames & Passwords ......................................................................................................................................... 15
12. Information about Minors .......................................................................................................................................... 15
13. Location Data ........................................................................................................................................................... 16
14. Other Personal Data................................................................................................................................................. 16
E. Sector-Specific Provisions ................................................................................................................................................... 16
1. Advertising & Marketing.............................................................................................................................................. 16
2. Education.................................................................................................................................................................... 17
3. Electronic Commerce ................................................................................................................................................. 18
4. Financial Services....................................................................................................................................................... 18
5. Health Care ................................................................................................................................................................ 19
6. HR & Employment ...................................................................................................................................................... 19

2
7. Insurance.................................................................................................................................................................... 20
8. Retail & Consumer Products....................................................................................................................................... 23
9. Social Media............................................................................................................................................................... 23
10. Tech & Telecom........................................................................................................................................................ 23
11. Other Sectors ........................................................................................................................................................... 24
F. Electronic Surveillance......................................................................................................................................................... 24
G. Private Causes of Action ..................................................................................................................................................... 24
1. Consumer Protection .................................................................................................................................................. 24
2. Identity Theft............................................................................................................................................................... 25
3. Invasion of Privacy...................................................................................................................................................... 26
4. Other Causes of Action............................................................................................................................................... 27
H. Criminal Liability................................................................................................................................................................... 28
II. REGULATORY AUTHORITIES AND ENFORCEMENT ................................................................................................................ 29
A. Attorney General.................................................................................................................................................................. 29
B. Other Regulators.................................................................................................................................................................. 29
C. Sanctions & Fines................................................................................................................................................................ 29
D. Representative Enforcement Actions................................................................................................................................... 31
E. State Resources .................................................................................................................................................................. 31
III. RISK ENVIRONMENT .................................................................................................................................................................. 32
IV. EMERGING ISSUES AND OUTLOOK ......................................................................................................................................... 33
A. Recent Legislation ............................................................................................................................................................... 33
1. Public Records ........................................................................................................................................................... 33
2. Internet Identifiers....................................................................................................................................................... 33
B. Proposed Legislation ........................................................................................................................................................... 33
1. Information Technology .............................................................................................................................................. 33
2. Searches of Portable Electronic Devices.................................................................................................................... 33
3. Broadband Privacy ..................................................................................................................................................... 33
4. Consumer Report Security Freezes............................................................................................................................ 33
5. Identity Theft and Fraud Protection............................................................................................................................. 33
C. Other Issues ........................................................................................................................................................................ 34
1. Equifax Breach ........................................................................................................................................................... 34
2. Employee Social Media .............................................................................................................................................. 34

3
I. APPLICABLE LAWS AND REGULATIONS
A. CONSTITUTIONAL PROVISIONS
Art. I, § 23 of the Florida Constitution provides for an express right of privacy, providing that “every
natural person has the right to be let alone and free from government intrusion into the person's
private life” except as otherwise provided in the Constitution. However, the right does not extend to the
public's right to access public records and meetings as provided by law.
In addition, art. I, § 12 of the Constitution, which generally prohibits unreasonable searches and
seizures, specifically guarantees a person's right to be secure against “the unreasonable interception
of private communications by any means.”
B. PERSONAL DATA PROTECTION PROVISIONS
The primary privacy and data security law in Florida is the Florida Information Protection Act (“FIPA”;
Fla. Stat. § 501.171). Under this law, businesses in the state must provide for appropriate data
security, establish disposal requirements, and provide notices of data breaches as required under the
law, as outlined in more detail below and at Section I.C.6., Section I.C.7., and Section I.C.8. The data
breach provisions of FIPA also apply to governmental entities (Fla. Stat. § 501.171(1)(b) and Fla. Stat.
§ 282.318(4)(j)(2); see Section I.C.8.), although separate provisions regarding information technology
security apply to state agencies (Fla. Stat. § 282.318; see Section I.C.6.).
Additional privacy provisions cover the fraudulent use of e-mail communications to solicit personal
information (the “Florida Antiphishing Act,” Fla. Stat. § 668.701, et seq.; see Section I.D.7.) and
impermissible eavesdropping (Fla. Stat. § 934.01, et seq.; see Section I.F.). Finally, laws related to
privacy and data security applicable to specific sectors—such as health care, insurance, and HR and
employment—are set forth in the portions of this profile dedicated to those sectors.
1. Who is covered?
The breach notification provisions of the Florida Information Protection Act (FIPA) apply to each
individual whose personal information was, or was reasonably believed to have been, accessed as a
result of a breach (Fla. Stat. § 501.171(4)(a)). However, no notification is required to such individuals
if, after an appropriate investigation and consultation with federal, state, and local law enforcement
agencies, it is determined that the breach has not and will not likely result in identity theft or any other
harm to the personal information of individuals whose personal information has been accessed (Fla.
Stat. § 501.171(4)(c)).
2. What is covered?
With respect to data security under the Florida Information Protection Act (FIPA), every covered entity,
governmental entity, or third-party agent must take reasonable measures to protect and secure data in
electronic form containing personal information (Fla. Stat. § 501.171(2)). In addition, specific
requirements govern information technology and data security standards for state agencies (Fla. Stat.
§ 282.318). For more information on data security requirements, see Section I.C.6.
With respect to FIPA's data disposal requirements, each covered entity or third-party agent must take
all reasonable measures to dispose, or arrange for the disposal, of customer records containing
personal information within its custody and control when the records are no longer required to be
maintained, through shredding, erasing, or otherwise modifying the personal information in the records
to make it unreadable or undecipherable through any means (Fla. Stat. § 501.171(8)).
The breach notification provisions of FIPA require covered entities, governmental entities, and third-
party agents to provide notification of a breach under specified circumstances (Fla. Stat. § 501.171(3)-
(7)). The notification requirements are outlined in detail at Section I.C.8.

4
3. Who must comply?
The data security, disposal, and breach notification requirements of the Florida Information Protection
Act (FIPA) apply to covered entities. A “covered entity” is defined as a sole proprietorship, partnership,
corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains,
or stores personal information. In addition, for purposes of the breach notification requirements, the
term includes government entities (Fla. Stat. § 501.171(1)(b); see also Fla. Stat. § 282.318(4)(j)(2)).
The law specifically requires covered entities, governmental entities, and third-party agents to comply
with FIPA's data security requirements (Fla. Stat. § 501.171(2)). The law defines a “governmental
entity” to include specified instrumentalities of the state—including departments, divisions, and
bureaus, among others—that collect, maintain, store, or use data in electronic form that contains
personal information (Fla. Stat. § 501.171(1)(f)). “Third-party agents” are entities that have been
contracted to maintain, store, or process personal information on behalf of a covered entity or
governmental entity (Fla. Stat. § 501.171(1)(h)).
The data disposal requirements of FIPA apply to covered entities and third-party agents, but not to
governmental entities (Fla. Stat. § 501.171(8)).
C. DATA MANAGEMENT PROVISIONS
1. Notice & Consent
Regulations governing the treatment of nonpublic personal financial and health information by insurers
in Florida include notice and consent requirements (see Section I.E.7.). In addition, provisions
governing specific types of health care facilities and providers and health data contain requirements
regarding notice and consent (see Section I.D.9.).
Florida's right of publicity law prohibits the publishing of a person's name or likeness for commercial,
trade, or advertising purpose without the consent of the person (Fla. Stat. § 540.08; see Section
I.E.1.).
For information on breach notification requirements under the Florida Information Protection Act
(FIPA), see Section I.C.8.
2. Collection & Use
There are no general Florida laws governing the collection and use of personal information. However,
regulations governing the treatment of nonpublic personal financial and health information by insurers
in Florida include collection and use requirements (see Section I.E.7.). In addition, provisions
regarding collection and use (see Section I.D.9.).
3. Disclosure to Third Parties
There are no general Florida laws governing the disclosure of personal information to third parties.
However, regulations governing the treatment of nonpublic personal financial and health information
by insurers in Florida include requirements regarding disclosure of such information to third parties
(see Section I.E.7.). In addition, provisions governing specific types of health care facilities and
providers and health data contain requirements regarding third-party disclosure (see Section I.D.9.).
Electronic communications providers are generally prohibited from divulging the contents of electronic
communications held in storage (see Section I.D.7.). Finally, specific requirements apply to the
disclosure of financial information by a financial institution (see Section I.D.8.).
4. Data Storage
There are no general Florida laws governing data storage requirements. Specific requirements apply
to the storage and retention of employee records by employers (see Section I.E.6.).

5
5. Access & Correction
There are no general Florida laws governing access and correction of personal information. However,
regulations governing the treatment of nonpublic personal financial and health information by insurers
in Florida include access and correction requirements (see Section I.E.7.). In addition, provisions
regarding access and correction (see Section I.D.9.). Finally, parents' and students' rights with respect
to access to student records conform to federal requirements (see Section I.E.2.).
6. Data Security
FIPA: Under the Florida Information Protection Act (FIPA), every covered entity, governmental entity,
or third-party agent must take reasonable measures to protect and secure data in electronic form
containing personal information (Fla. Stat. § 501.171(2)). A “covered entity” is defined as a sole
proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial
entity that acquires, maintains, or stores personal information (Fla. Stat. § 501.171(1)(b)). A
“governmental entity” includes specified instrumentalities of the state—including departments,
divisions, and bureaus, among others—that collect, maintain, store, or use data in electronic form that
contains personal information (Fla. Stat. § 501.171(1)(f)). “Third-party agents” are entities that have
been contracted to maintain, store, or process personal information on behalf of a covered entity or
governmental entity (Fla. Stat. § 501.171(1)(h)). A violation of this requirement is treated as an unfair
or deceptive trade practice in an action brought by the Attorney General (Fla. Stat. § 501.171(9)(a);
see Section II.C.).
Specific requirements apply to the implementation of standards adopted by the Agency for State
Technology (AST) for information technology security and rules regarding data security. The statute,
referenced as the Information Technology Security Act (Fla. Stat. § 282.318(1)), outlines the
responsibilities of the AST, including developing a statewide information technology security strategic
plan that must be updated annually by February 1 of each year, developing a framework of
procedures and risk assessment methodologies to be used by state agencies, and establishing a
security incident reporting process, among other requirements (Fla. Stat. § 282.318(3)). Each state
agency is required to designate an information security manager, establish a security incident
response team, submit a security plan adopted pursuant to the AST's rules and guidelines by July 31
each year, and fulfill a variety of other statutory requirements, including periodic audits, employee
training, and processes for detecting and responding to threats, breaches, or other incidents (Fla. Stat.
§ 282.318(4)). Any risk assessment, evaluation, external audit, or other reports related to a state's
information technology security program are considered confidential and are exempt under the state's
public records law (Fla. Stat. § 282.318(5)).
7. Data Disposal
FIPA: Under the Florida Information Protection Act (FIPA), each covered entity or third-party agent
must take all reasonable measures to dispose, or arrange for the disposal, of customer records
containing personal information within its custody and control when the records are no longer required
to be maintained, through shredding, erasing, or otherwise modifying the personal information in the
records to make it unreadable or undecipherable through any means (Fla. Stat. § 501.171(8)). A
“covered entity” is defined as a sole proprietorship, partnership, corporation, trust, estate, cooperative,
association, or other commercial entity that acquires, maintains, or stores personal information (Fla.
Stat. § 501.171(1)(b)). “Third-party agents” are entities that have been contracted to maintain, store, or
process personal information on behalf of a covered entity or governmental entity (Fla. Stat.
§ 501.171(1)(h)). A violation of this requirement is treated as an unfair or deceptive trade practice in an
action brought by the Attorney General (Fla. Stat. § 501.171(9)(a); see Section II.C.).
8. Data Breach
Under the Florida Information Protection Act (FIPA), covered entities, governmental entities, and third-
party agents must provide notification of a breach involving personal information under specified
circumstances (Fla. Stat. § 501.171(3)-(7)), as outlined more fully below.

6
Primary definitions: A “covered entity” is defined as a sole proprietorship, partnership, corporation,
trust, estate, cooperative, association, or other commercial entity that acquires, maintains, or stores
personal information, including governmental entities (Fla. Stat. § 501.171(1)(b); see also Fla. Stat.
§ 282.318(4)(j)(2)). A “governmental entity” includes specified instrumentalities of the state—including
departments, divisions, and bureaus, among others—that collect, maintain, store, or use data in
electronic form that contains personal information (Fla. Stat. § 501.171(1)(f)). “Third-party agents” are
entities that have been contracted to maintain, store, or process personal information on behalf of a
covered entity or governmental entity (Fla. Stat. § 501.171(1)(h)).
“Personal information” means either of the following:
• an individual's first name or first initial and last name in combination with any of the following
data elements:
◦ social security number;
◦ driver's license or ID card number, passport number, military ID number, or other
number issued on a government document;
◦ financial account number or credit or debit card number in combination with any
required security code, access code, or password;
◦ any information regarding an individual's medical history, mental or physical
condition, or medical treatment or diagnosis; or
◦ health insurance policy number or subscriber identification number and any unique
identifier used by a health insurer to identify the individual; OR
• A username or e-mail address, in combination with a password or security question and
answer permitting access to an individual's online account (Fla. Stat. § 501.171(1)(g)).
“Breach of security” or “breach” means unauthorized access to data in electronic form containing
personal information, but good faith access by an employee or agent of a covered entity is not a
breach of security provided that the information is not used for a purpose unrelated to the business or
subject to further unauthorized use (Fla. Stat. § 501.171(1)(a)).
Notice to individuals: A covered entity must give notice to each individual in Florida whose personal
information was, or the covered entity reasonably believes to have been, accessed as a result of a
breach. Notice must be provided as expeditiously as possible and without unreasonable delay, taking
into account the amount of time needed for the entity to determine the extent of the breach, identify
affected individuals, and restore the reasonable integrity of the data system. Notification must be made
no later than 30 days after the determination of a breach or a reason to believe that a breach has
occurred, unless an exception applies (Fla. Stat. § 501.171(4)(a)).
Notification may be delayed if a federal, state, or local law enforcement agency determines that such
notice would interfere with a criminal investigation and makes a written request to delay notification for
a specified period. By subsequent written request, a law enforcement agency may revoke the delay as
of a specified date or extend the period specified in the original request (Fla. Stat. § 501.171(4)(b)).
Notice to individuals is not required if, after an appropriate investigation and consultation with federal,
state, and local law enforcement agencies, it is determined that the breach has not and will not likely
result in identity theft or any other harm to the personal information of individuals whose personal
information has been accessed. This determination must be documented in writing and maintained for
at least five years. The covered entity must provide the determination to the Attorney General with 30
days (Fla. Stat. § 501.171(4)(c)).
Notice to individuals may be made by written notice sent to the mailing address of the individual or e-
mail notice sent to the e-mail address of the individual in the records of the covered entity (Fla. Stat.
§ 501.171(4)(d)). The notice must include the date, estimated date, or estimated data range of the
breach; a description of the personal information accessed; and information on how an individual can
contact the covered entity to inquire about the breach and the information maintained by the entity
(Fla. Stat. § 501.171(4)(e)). Substitute notice, by a conspicuous notice on the covered entity's website
if it maintains one or by notice in specified print or broadcast media, is permitted if the cost of providing
notice would exceed $250,000, the number of affected individuals exceed 500,000, or the covered
entity does not have mailing or e-mail address information for affected individuals (Fla. Stat.

7
§ 501.171(4)(f)). An entity that provides notice in accordance with the rules established by its primary
or functional federal regulator is deemed to meet FIPA notice requirements (Fla. Stat.
§ 501.171(4)(g)).
Notice to the Attorney General: A covered entity must provide notice to the Attorney General
(referenced in the law as the Department of Legal Affairs) of any breach of security affecting 500 or
more Florida residents. Notice must be made as expeditiously as practicable, but no later than 30 days
after determination of the breach or reason to believe a breach occurred. A 15-day extension for the
notice required to individuals (see above) is available if a covered entity provides the Attorney General
with good cause for a delay in writing within 30 days after determination of the breach or reason to
believe a breach occurred (Fla. Stat. § 501.171(3)(a)).
Notice to the Attorney General must include a synopsis of the events surrounding the breach, the
number of individuals in Florida who were or potentially have been affected, services being offered
without charge by the covered entity to affected individuals, a copy of the notice provided to individuals
or an explanation of other actions taken pursuant to the individual notice requirement, and the name
and contact information of an employee or agent of the covered entity from whom additional
information may be obtained (Fla. Stat. § 501.171(3)(b)). On request from the Attorney General, a
covered entity must provide any police reports, incident reports, or forensic reports; a copy of its
security breach policy; or information on steps taken to rectify the breach (Fla. Stat. § 501.171(3)(c)).
Covered entities may provide supplemental information at any time, and specified governmental
entities, including the judicial branch of the Governor's office, may post required information on an
agency-managed website in lieu of written notice (Fla. Stat. § 501.171(3)(d)-(e)).
Notice by third-party agents: A third-party agent must notify a covered entity of any breach of
security of a system maintained by the third-party agent on the entity's behalf as expeditiously as
possible, but no later than 10 days following the determination of a breach of security or reason to
believe the breach occurred. On receiving notice, the covered entity must then provide individual
notice and notice to the Attorney General as required by FIPA (see above). The third-party agent must
provide the covered entity with all necessary information to allow it to comply with notice requirements
(Fla. Stat. § 501.171(6)(a)).
A third-party agent may provide notice as outlined in FIPA on behalf of a covered entity, but an agent's
failure to provide proper notice is deemed a violation by the covered entity (Fla. Stat. § 501.171(6)(b)).
Notice to credit reporting agencies: In a circumstance requiring notice to more than 1,000
individuals at a single time, a covered entity must also notify all consumer reporting agencies that
compile and maintain consumer information on a nationwide basis of the timing, content, and
distribution of individual notices without unreasonable delay (Fla. Stat. § 501.171(5)).
Public records exemption: Information provided to the Attorney General following a data security
incident is confidential and may not be disclosed under the state's public records law unless a
specified exception applies (Fla. Stat. § 501.171(11)).
Remedies: A violation of the data breach notification requirements is treated as an unfair or deceptive
trade practice in an action brought by the Attorney General, and additional specific remedies are
available, although there is no private cause of action for a violation (Fla. Stat. § 501.171(9)-(10); see
Section II.C.).
9. Data Transfer & Cloud Computing
Our research has revealed no provisions of Florida law specifically addressing data transfers or cloud
computing, but Fla. Stat. § 282.201, which pertains to the state data center established by the Agency
for State Technology, permits the hosting of data services “externally through a third-party provider as
an enterprise information technology service.”
Furthermore, Opinion 12-3 of the Professional Ethics Committee of the Florida Bar indicates that
lawyers may use cloud computing “if they take reasonable precautions to ensure that confidentiality of
client information is maintained, that the service provider maintains adequate security, and that the
lawyer has adequate access to the information stored remotely.”

8
10. Other Provisions
Our research has revealed no other generally applicable data management provisions in Florida.
D. SPECIFIC TYPES OF DATA
1. Biometric Data
Public school institutions and agencies may not collect biometric information of students, or their
parents or siblings. The law defines “biometric information” as information collected from the electronic
measurement or evaluation of any physical or behavioral characteristics attributable to a single
person, including fingerprints; hand, eye, or vocal characteristics; and any other characteristics used
for the purpose of electronically identifying the person with a high degree of certainty. Examples
include fingerprint or hand scans, retina or iris scans, voice prints, and facial geometry scans (Fla.
Stat. § 1002.222(1)(a)).
2. Consumer Data
Under the data disposal provisions of the Florida Information Protection Act (FIPA), each covered
entity or third-party agent must take all reasonable measures to dispose, or arrange for the disposal, of
customer records containing personal information within its custody and control when the records are
no longer required to be maintained, through shredding, erasing, or otherwise modifying the personal
information in the records to make it unreadable or undecipherable through any means (Fla. Stat.
§ 501.171(8)). A “covered entity” includes any sole proprietorship, partnership, corporation, trust,
estate, cooperative, association, or other commercial entity that acquires, maintains, or stores
personal information (Fla. Stat. § 501.171(1)(b)). For more information on data disposal requirements,
see Section I.C.7.
Consumer data generally contains information that is considered “personal information”—such as an
individual's name coupled with defined data elements like social security numbers or account
numbers—and is therefore subject to the data security and breach notification requirements of FIPA.
For an explanation of these provisions, see Section I.C.6. (data security) and Section I.C.8. (breach
notification).
3. Credit Card Data
Account numbers prohibited on receipts: A merchant who accepts a credit card for payment may
not print more than the last five digits of a person's credit card number or the expiration date of the
card on any receipt provided to the cardholder. The prohibition applies only to electronically printed
receipts and is inapplicable to transactions in which the sole means of recording the credit card
number is by handwriting or an imprint of the card (Fla. Stat. § 501.0118(2)-(3)). A violation constitutes
a noncriminal violation subject to a fine, and a state's attorney may bring an action to enforce the
provision (see Section II.C.).
FIPA: Credit and debit card numbers are included as a data element that, when combined with an
individual's name, is considered “personal information” under the Florida Information Protection Act
(FIPA). Therefore, such data is subject to the data security, data disposal, and breach notification
requirements of FIPA. For an explanation of these provisions, see Section I.C.6. (data security),
Section I.C.7. (data disposal), and Section I.C.8. (breach notification).
4. Credit Reports
Security freezes: A consumer may place a security freeze on his consumer report by making a
request in writing to the consumer reporting agency, including proper identification, and paying a fee
(Fla. Stat. § 501.005(2)). The consumer reporting agency must place such a freeze within five
business days of receiving the request and must send written confirmation to the consumer within 10
business days of instituting the freeze, together with a unique ID number to be used by the consumer
to provide authorization for removal of the freeze (Fla. Stat. § 501.005(3)-(4)). The statute specifies
procedures for temporarily lifting a freeze, providing access to limited information, and removing a
freeze (Fla. Stat. § 501.005(5)-(11)). A security freeze does not apply to circumstances and persons
specified by law (Fla. Stat. § 501.005(12) and (15)). In addition, the law contains requirements for

9
charging fees (Fla. Stat. § 501.005(13)) and prohibits a credit reporting agency from changing
specified information in a consumer report—such as name, address, date of birth, or social security
number—without sending written confirmation of the change to the consumer within 30 days of posting
the change in the consumer's file (Fla. Stat. § 501.005(14)). Consumers may bring a cause of action
for violations (see Section I.G.1.).
Specific provisions apply to security freezes placed on the consumer report of a protected person,
defined as a person under the age of 16 or a specified person represented by a guardian or advocate
(Fla. Stat. § 501.0051).
FIPA: Information generally included in credit reports, including an individual's name in combination
with data elements such as social security numbers or account numbers, is considered “personal
information” under the Florida Information Protection Act (FIPA). Therefore, such data is subject to the
data security, data disposal, and breach notification requirements of FIPA. For an explanation of these
provisions, see Section I.C.6. (data security), Section I.C.7. (data disposal), and Section I.C.8. (breach
notification).
Under FIPA, if a breach of personal information involves more than 1,000 individuals at a single time,
a covered entity must notify all consumer reporting agencies that compile and maintain consumer
information on a nationwide basis of the timing, content, and distribution of individual notices without
unreasonable delay (Fla. Stat. § 501.171(5); see Section I.C.8.).
5. Criminal Records
Anti-discrimination provisions: Criminal background checks generally are permitted in Florida.
However, no person may be disqualified from employment by a state or local subdivision or agency
because of a prior conviction of a crime, unless the crime was a felony or first-degree misdemeanor
and directly related to the position sought. This prohibition does not apply to law enforcement and
correctional agencies, fire departments in relation to hiring firefighters, or the hiring of county or
municipality personnel for positions critical to security or public safety (Fla. Stat. § 112.011).
Required background checks: Certain employers, primarily those who are involved in working with
children or the elderly, are required by law to conduct criminal background checks on applicants and
employees prior to allowing them to work in such an environment (see, i.e., Fla. Stat. § 394.4572
regarding mental health personnel, or Fla. Stat. § 400.215 regarding nursing home personnel). The
screening requirements are outlined in detail at Fla. Stat. §§ 435.001, et seq.
Negligent hiring safe harbor: Florida statutory tort law provides a safe harbor provision for
employers who are being sued for an intentional tort of an employee. Under this provision, an
employer is presumed not to have been negligent in hiring the employee if, prior to hiring the
employee, the employer conducted a background investigation that did not reveal any information
reasonably demonstrating the unsuitability of the applicant. However, the failure of an employer to
conduct such an investigation does not raise any presumption that the employer did not use
reasonable care in hiring. The statute specifies the required elements of a background check,
including conducting a criminal background investigation meeting enumerated requirements, making
an effort to obtain references, asking specified questions in the job application, checking driver's
license records when relevant, and interviewing the applicant (Fla. Stat. § 768.096).
6. Drivers' Licenses/Motor Vehicle Records
FIPA: Driver's license numbers are included as a data element that, when combined with an
Personal information contained in motor vehicle records: Personal information, including highly
restricted personal information as defined under the federal Driver's Privacy Protection Act (DPPA),
contained in a Florida motor vehicle record is confidential and may only be disclosed as authorized
under the DPPA. In addition, information received under an authorization in the DPPA may not be

10
used for mass commercial solicitation of clients for litigation against motor vehicle dealers (Fla. Stat.
§ 119.0712(2)(b)).
ALPRs: Specified images and data collected through the use of an automated license plate
recognition system (ALPR) and personal identifying information of an individual contained in data
generated from an image are confidential and are exempt from disclosure under Florida's public
records law. Exceptions exist for disclosures to criminal justice authorities and to the individual to
whom the license is registered under specified conditions (Fla. Stat. § 316.0777).
Negligent hiring safe harbor: An element of a required background investigation that would shield an
employer from tort liability for negligent hiring (see Section I.C.5.) includes obtaining, with written
consent of the applicant, the driver's license record of the applicant if the check is relevant to the work
the applicant will be performing and the record can be reasonably obtained (Fla. Stat.
§ 768.096(1)(d)).
7. Electronic Communications/Social Media Accounts
Disclosure of customer communications or records: Providers of electronic communications
services generally may not disclose to any person or entity the contents of a communication while in
electronic storage by the service, or to any governmental entity a record or other information pertaining
to a subscriber or customer of the service (Fla. Stat. § 934.22(1)(a)). Similar restrictions apply to
providers of remote computing services (Fla. Stat. § 934.22(1)(b)). Exceptions are provided for
disclosures to an addressee or intended recipient of a communication, disclosures made with the
lawful consent of the originator or an addressee or intended recipient, disclosures to persons
authorized to forward a communication to its destination, and disclosures to law enforcement agencies
meeting certain conditions, among others (Fla. Stat. § 934.22(2)-(3)).
Certain disclosures are required by law, such as those to law enforcement or investigative officers that
meet statutory requirements. Any communication that has been in storage for less than 180 days may
only be disclosed pursuant to a warrant (Fla. Stat. § 934.23(1)). For communications that have been in
storage for more than 180 days, or for communications held by a remote computing service, an
investigative or law enforcement officer may require disclosure with prior or delayed notice if the officer
uses a subpoena or obtains a court order, or without prior notice if the officer obtains a warrant (Fla.
Stat. § 934.23(2)-(3)). The law defines circumstances under which delayed notice is appropriate (Fla.
Stat. § 934.25). Records pertaining to customers, not including the contents of a communication, must
be disclosed when an investigative or law enforcement officer obtains a warrant or court order, has the
consent of the subscriber, or seeks information specified in the statute pursuant to a subpoena (Fla.
Stat. § 934.23(4)).
The law permits investigative or law enforcement officers to require a service provider to create a
backup copy of the contents of electronic communications sought, but provides for a mechanism for a
customer or subscriber to challenge this requirement (Fla. Stat. § 934.24).
Providers of electronic communications services, as well as customers and subscribers, are entitled to
civil remedies (see Section I.G.1.).
Access to stored communications: Any person who, without authorization, intentionally accesses a
facility through which an electronic communication service is provided, or who intentionally exceeds an
authorization to access such a facility, and obtains, alters, or prevents authorized access to a wire or
electronic communication while in storage is guilty of an offense (Fla. Stat. § 934.21(1)). If the offense
is committed for the purpose of commercial advantage, malicious destruction or damage, or private
commercial gain, it is a first-degree misdemeanor for a first offense and a third-degree felony for a
subsequent offense. Any other offense is a second-degree misdemeanor (Fla. Stat. § 934.21(2)).
Exceptions apply to conduct authorized by the person providing the wire or electronic communication
service or by a user of such a service with respect to a communication intended for the user, as well
as to required disclosures of customer communications or records (see above) (Fla. Stat. § 934.21(3)).
Anti-phishing law: Under the Florida Antiphishing Act, a person with an intent to engage in conduct
involving the fraudulent use or possession of another person's property may not represent himself to
be another person without the authority or approval of such other person through the use of a

11
webpage or Internet domain name, and use the page, domain name, or a link to the page, domain
name, or any other Internet site to induce, request, or solicit a resident to provide identifying
information (Fla. Stat. § 668.703(1)). Such a person also may not send or cause to be sent to an e-
mail address of a Florida resident an e-mail that is falsely represented as being sent by another
person without the authority or approval of the other person, that refers or links the recipient to a
webpage, and that directly or indirectly induces, requests, or solicits the recipient to provide identifying
information (Fla. Stat. § 668.703(2)).
Exemptions are available for a telecommunications or Internet service provider's good-faith
transmission or routing of, or intermediate temporary storage of, identifying information. In addition, an
interactive computer service provider may not be held liable for removing or disabling access to
content that the provider believes in good faith is used to engage in a violation of the anti-phishing law
(Fla. Stat. § 668.705).
A civil action for damages and injunctive relief is available to specified persons (see Section I.G.1.), as
well as the Attorney General (see Section II.C.).
FIPA: Under the Florida Information Protection Act, a username or e-mail address, in combination with
a password or security question and answer permitting access to an individual's online account, is
considered “personal information.” Therefore, such data is subject to the data security, data disposal,
and breach notification requirements of FIPA. For an explanation of these provisions, see Section
I.C.6. (data security), Section I.C.7. (data disposal), and Section I.C.8. (breach notification).
Electronic surveillance provisions: See Section I.F.
Anti-spam and anti-phishing laws: See Section I.E.1.
8. Financial Information
In general: The books and records of a financial institution are confidential and may be made
available for inspection or examination only to specified individuals or entities, including a person
authorized to act for the financial institution or a properly authorized federal or state agency, or as
compelled by law (Fla. Stat. § 655.059(1)). Any depositor, borrower, member, or stockholder has the
right to inspect books and records of a financial institution pertaining to his accounts or voting rights. In
addition, the books and records pertaining to the accounts and loans of such persons are confidential
and may only be released upon express written authorization of the account holder, unless a statutory
exception applies (Fla. Stat. § 655.059(2)(a)-(b)). Violation of the nondisclosure requirement is a third-
degree felony (Fla. Stat. § 655.059(2)(c)).
FIPA: Certain types of financial information, including financial account numbers combined with an
access code or password and an individual's name, are considered “personal information” under the
Florida Information Protection Act (FIPA). Therefore, such data is subject to the data security, data
disposal, and breach notification requirements of FIPA. For an explanation of these provisions, see
Section I.C.6. (data security), Section I.C.7. (data disposal), and Section I.C.8. (breach notification).
Regulations on privacy of nonpublic personal financial and health information: The Division of
Consumer Services and the Office of Insurance Regulation, each of which is part of the Florida
Department of Financial Services, have each adopted regulations generally conforming to model
regulations issued by the National Association of Insurance Commissioners concerning the privacy of
nonpublic personal financial and health information collected, maintained, and used by entities subject
to the state's Insurance Code. For a comprehensive discussion of these regulations, see Section I.E.7.
9. Health Data
Patient's Bill of Rights and Responsibilities: Under the Florida Patient's Bill of Rights and
Responsibilities (Fla. Stat. § 381.026), every patient provided health care services is entitled to certain
privacy rights consistent with providing adequate health care and maintaining the efficient
administration of a health facility or provider's office (Fla. Stat. § 381.026(4)(a)(2)). The Bill of Rights
confers a number of other rights on patients, including the right to information from a facility or
provider, the right to financial information including information on charges, and the right to access of
care (Fla. Stat. § 381.026(4)(b)-(d)). In addition, a patient has the right to know if medical treatment is

12
for purposes of experimental research and to consent prior to participating in such research (Fla. Stat.
§ 381.026(4)(e)).
Health care facilities must adopt policies and procedures to ensure that patients are provided the
opportunity to receive information regarding their rights and information on filing complaints with the
facility or a state agency (Fla. Stat. § 381.0261(3)). Administrative sanctions are available against
health care facilities and providers who fail to comply with the Bill of Rights (see Section II.C.).
Access to and disclosures of patient records and reports by health practitioners: A licensed
health care practitioner who makes a physical or mental examination of or administers treatment to
any person must, on request of the person or a legal representative, furnish copies of all reports and
records relating to the examination or treatment. For certain types of psychiatric or psychological
examinations, a report of examination may be provided instead of copies of records. Complete copies
of a patient's psychiatric records must be provided to a subsequent treating physician on written
request of the patient (Fla. Stat. § 456.057(6)). The term “health care practitioner” excludes
pharmacists, dental hygienists, nursing assistants, and respiratory therapists, among a number of
others (Fla. Stat. § 456.057(2)).
Records maintained by a health care practitioner may not be furnished to, and the medical condition of
a patient may not be discussed with, any person other than the patient or a representative, or other
health care practitioners and providers involved in the patient's care, except with the written
authorization of the patient. Specified exceptions apply to compulsory physical examinations, pursuant
to a civil or criminal action, for scientific or research purposes, for purposes of treating a poison
episode, or to the Department of Children and Families for purposes of abuse investigation (Fla. Stat.
§ 456.057(7)(a)). Any use of patient information for marketing or sales of goods or services without
written authorization is prohibited (Fla. Stat. § 456.057(7)(b)). The law generally also prohibits the
disclosure of any information disclosed to a health care practitioner by a patient in the course of care
or treatment except to other health care practitioners and providers involved in the patient's care, if
allowed by written patient authorization or if compelled by subpoena (Fla. Stat. § 456.057(7)(c)).
Records and information may be disclosed in spite of the above provisions in specifically described
circumstances related to a medical negligence action (Fla. Stat. § 456.057(7)(d)), or to the Department
of Health under specified circumstances (Fla. Stat. § 456.057(8)). Documents obtained or maintained
by the Department are confidential and may only be used for investigatory or disciplinary purposes
(Fla. Stat. § 456.057(9)).
Record owners (defined by the statute as a health care practitioner who generates or receives a
record, or the practitioner's employer) must develop and implement policies and standards to protect
the confidentiality and security of medical records, and must train their employees on such policies
and standards (Fla. Stat. § 456.057(10)). In addition, record owners must maintain a record of all
disclosures of information to third parties, and any such third party is prohibited from further disclosing
the information without the express written consent of the patient (Fla. Stat. § 456.057(11)).
Violations of the requirements outlined above are subject to enforcement by licensing authorities and
the Attorney General (see Section II.C.).
Access to and disclosures of hospital and other facility records: All licensed facilities (including
hospitals, ambulatory surgical centers, or mobile surgical facilities (Fla. Stat. § 395.002(16)), on written
request after the discharge of a patient, must furnish, in a timely manner and without delay for legal
review, copies of all patient records requested by a patient, legal representative, next of kin, or parent
of a minor, provided that the requestor agrees to pay a charge. The charge may include sales tax and
actual postage and may not exceed $1.00 per page (except for nonpaper records, which are subject to
a charge not to exceed $2.00). A facility may also charge an additional fee of up to $1.00 for each year
of records requested. If, however, a patient's records are copied or searched for purposes of
continuing medical treatment, the patient may not be charged a fee for copying. Finally, a facility must
allow a requestor to examine the original records in its possession on reasonable terms imposed to
assure that the records will not be damaged, altered, or destroyed (Fla. Stat. § 395.3025(1)).

13
The access requirements described above do not apply to records maintained by psychiatric facilities,
records of mental health treatment, and records of persons impaired by substance abuse (Fla. Stat.
§ 395.3025(2)-(3)).
In general, patient records maintained by licensed facilities are confidential and may not be disclosed
without the consent of the patient or a representative, but a number of exceptions apply, including
disclosures to facility personnel or health care practitioners involved in the patient's care, disclosures
for administrative purposes, and disclosures to the Department of Health for the purpose of
epidemiological investigation, among others (Fla. Stat. § 395.3025(4)-(5). An unauthorized release of
information by an agent of the Department of Health that would identify an individual patient is a first-
degree misdemeanor (Fla. Stat. § 395.3025(5)). A recipient of patient record information may use the
information only for the purpose for which it was disclosed and may not further disclose it without
written consent (Fla. Stat. § 395.3025(7)).
Employers providing health and life insurance benefits: Any employer that provides or administers
health insurance or life insurance benefits to its employees must maintain the confidentiality of
information relating to the medical condition of any person covered by such benefits. Such information
is exempt from the Florida public records law, and an employer failing to implement a procedure to
protect the confidentiality of such information is liable to any person damaged, and other liability may
apply (Fla. Stat. § 760.50(5); see Section I.G.4.).
HMOs and prepaid health clinics: Any health maintenance organization (HMO) or prepaid health
clinic must maintain confidentiality against unauthorized or inadvertent disclosure of confidential
information concerning psychotherapeutic services provided to subscribers and records and reports
related to such services. HMOs and prepaid health clinics may provide aggregate data that does not
disclose subscriber identities or other identities to payors, sponsors, researchers, and accreditation
bodies (Fla. Stat. § 641.59).
Medical records maintained by an HMO are not subject to audit by the Department of Insurance, but
may be subject to subpoena or disclosed pursuant to disclosure requirements applicable to health
care practitioners (see above) (Fla. Stat. § 641.27).
Nursing homes: Licensed nursing home facilities must include a statement of a resident's right to
privacy in treatment in the statement of rights and responsibilities required to be provided to every
resident, and all personal and medical records of a resident are confidential and exempt from Florida
public records law (Fla. Stat. § 400.022(1)(m)).
On receipt of a request that complies with federal Health Insurance Portability and Accountability Act
(HIPAA) requirements, a nursing home facility must provide a copy of a resident's paper and electronic
records in the facility's possession to the resident or an authorized representative. The records must
include medical records and records concerning the care and treatment of the resident, except for
progress notes and psychiatric consultation reports. A facility must provide requested records within
14 working days after receipt of a request from a current resident or 30 days from receipt of a request
from a prior resident (Fla. Stat. § 400.145(1)). Facilities are not required to provide resident records
more than once a month, except that copies of physician reports must be provided as often as
necessary to allow effective monitoring of the resident's condition (Fla. Stat. § 400.145(7)).
Specific requirements apply to requests of the medical records of deceased residents and to fees for
copies (Fla. Stat. § 400.145(2)-(4)). If a facility determines that the release of records would be
detrimental to the physical or mental health of the resident, it may refuse to furnish the records directly
to the resident, but on a subsequent written request by the resident, must provide the records to any
medical provider designated by the resident (Fla. Stat. § 400.145(5)).
Remedies are available to aggrieved residents whose rights are violated (see Section I.G.4. and
Section II.C.).
Mental health records: Clinical records maintained for patients being treated for mental health
conditions are confidential and exempt from Florida public records laws (Fla. Stat. § 394.4615(1))
There are specific circumstances under which such records must be released, including when
authorized by the patient or a guardian, or by court order, and when the information may be released,

14
as when the patient has declared an intention to harm another or if a facility administrator determines
that release is necessary for the treatment of the patient (Fla. Stat. § 394.4615(2)(3)). Patients must
have reasonable access to their records unless it is determined to be harmful to the patient by the
patient's physician. If the patient's right is so restricted, written notice must be given to the patient or a
specified representative. Any such restriction expires after seven days but may be renewed for
subsequent seven-day periods (Fla. Stat. § 394.4615(10)).
Prepaid limited health service organizations: Any information pertaining to the diagnosis,
treatment, or health of an enrollee in a prepaid limited health service organization is confidential and
exempt from the provisions of the Florida public records law. Such information is only available
pursuant to the specific written consent of the enrollee or as otherwise provided by law (Fla. Stat.
§ 636.064(1)). In addition, any proprietary financial information contained in a contract between a
provider and a prepaid limited health service organization is confidential and exempt from the
provisions of the Florida public records law (Fla. Stat. § 636.064(1)).
Prepaid limited health service organizations are subject to the same limitations as health insurers with
respect to the use or solicitation of genetic information (Fla. Stat. § 636.0201; see below).
Cancer registry: Information submitted to the state's cancer registry program that discloses or could
lead to the disclosure of the identity of any person is confidential and exempt from the Florida public
records law. Certain disclosures are permitted, however, including those made with written consent
(Fla. Stat. § 385.202(3)).
Genetic testing: In general, DNA analysis (which includes DNA typing and genetic testing) may only
be performed with the informed consent of the subject. The results are the exclusive property of the
person tested, are confidential and may not be disclosed without the subject's consent, and are
exempt from the Florida public records law (Fla. Stat. § 760.40(1)-(2)). A person violating these
provisions is guilty of a first-degree misdemeanor (Fla. Stat. § 760.40(2)(b)). Persons performing DNA
analysis or receiving records of such an analysis must provide the subject with notice that the analysis
was performed or information was received. The notice must state that the information will be made to
the subject's physician on request, and whether the information was used in any decision to grant or
deny any insurance, employment, mortgage, loan, credit, or educational opportunity. If the information
was used in a decision resulting in a denial, the analysis must be repeated to verify accuracy, and if
the first analysis is found to be inaccurate, the denial must be reviewed (Fla. Stat. § 760.40(3)).
Health insurers may not require or solicit genetic information, use genetic test results, or consider a
person's actions relating to genetic testing in any manner for any insurance purpose (Fla. Stat.
§ 627.4301(2)(b)).
HIV/AIDS: In both a health and a nonhealth care setting, a person must obtain informed consent of
the subject prior to HIV/AIDS testing. The results of the test and the identity of the subject are
confidential and are exempt from Florida public records laws. In general, disclosure of HIV/AIDS-
related information without the subject's consent is prohibited, although the law provides for a variety
of exceptions (Fla. Stat. § 381.004(2)). In addition, under specified conditions, health care practitioners
may disclose otherwise confidential information to a sexual partner or a needle-sharing partner (Fla.
Stat. § 456.061).
Disciplinary action and criminal penalties are provided for violations of the provisions outlined above
(see Section II.C. and Section I.H.).
Specific requirements regarding required consent for testing for HIV/AIDS and confidentiality of any
related information apply to insurers (Fla. Stat. § 627.429(4)(f)) and HMOs (Fla. Stat.
§ 641.3007(4)(f)). Employers are restricted from requiring an applicant to submit to an HIV/AIDS test
(see Section I.E.6.).
Sexually transmitted diseases: In addition to the requirements regarding HIV/AIDS outlined above,
any information held by the Department of Health relating to known or suspected cases of sexually
transmitted diseases is confidential and exempt from Florida public record laws. Such information may
not be released or made public except under statutorily defined conditions, including the consent of all

15
parties to whom the information applies (Fla. Stat. § 384.29(1)). Criminal penalties apply to violations
(see Section I.H.). For information specific to minors, see Section I.D.12.
Substance abuse: Records of substance abuse service providers pertaining to the identity of,
diagnosis and prognosis of, and any service provided to any individual are confidential and exempt
from Florida public records law. The records may not be disclosed without the written consent of the
individual, except for specific circumstances such as a medical emergency, for research or audit
purposes, or on court order. Specific exceptions are provided for law enforcement activities and other
circumstances (Fla. Stat. § 397.501(7)). Liability for damages and criminal penalties and fines apply to
violations (see Section I.G.4. and Section I.H.). For information specific to minors, see Section I.D.12.
FIPA: Information regarding an individual's medical history, mental or physical condition, or medical
treatment or diagnosis, as well as a health insurance policy number or subscriber identification number
and any unique identifier used by a health insurer to identify the individual, is considered “personal
information” under the Florida Information Protection Act (FIPA). Therefore, such data is subject to the
data security, data disposal, and breach notification requirements of FIPA. For an explanation of these
notification).
Insurance regulations: For information on regulations governing the handling of nonpublic consumer
health information by insurers, see Section I.E.7.
10. Social Security Numbers
FIPA: Social security numbers (SSNs) are included as a data element that, when combined with an
Public records law: In general, social security numbers may not be collected by state agencies and
may not be released as part of a public records request. However, exceptions apply under certain
circumstances, including disclosures to a commercial entity for a statutorily permissible use (Fla. Stat.
§ 119.071(5)(a)(1)-(7)).
Student SSNs: When a student enrolls in a public school, the school district must request that the
student provide his SSN and must indicate whether the student ID number assigned to the student is
an SSN. However, a student is not required to provide an SSN as a condition for enrollment or
graduation. The Commissioner of Education is charged with assisting school districts in the
assignment of student ID numbers to avoid any duplication (Fla. Stat. § 1008.386(1)). In addition, the
Department of Education must establish a process for assigning Florida student ID numbers to each
student in the state, at which time a school district may no longer use SSNs as student ID numbers
(Fla. Stat. § 1008.386(2)).
11. Usernames & Passwords
FIPA: An individual's financial account number or credit or debit card number, in combination with the
individual's name and any required security code, access code, or password, and a username or e-
mail address, in combination with a password or security question and answer permitting access to an
individual's online account, are data elements that are considered “personal information” under the
Florida Information Protection Act (FIPA). Therefore, such data is subject to the data security, data
disposal, and breach notification requirements of FIPA. For an explanation of these provisions, see
Section I.C.6. (data security), Section I.C.7. (data disposal), and Section I.C.8. (breach notification).
12. Information about Minors
Sexually transmitted diseases: Under provisions of the public health law permitting a minor to
consent to treatment for a sexually transmitted disease without the consent of a parent, a provider of
such treatment must keep information concerning such treatment confidential and may not divulge the
information in any manner (i.e., sending a bill for services to a parent or guardian), unless there are
other legal reasons for permitting disclosure (Fla. Stat. § 394.30).

16
Substance abuse: Given that minors have the right to submit to substance abuse treatment without
consent, any written consent for disclosure of confidential information by a service provider may only
be given by the minor. The restriction applies to any disclosure of identifying information to a parent or
guardian for purposes of obtaining financial reimbursement (Fla. Stat. 397.501(7)(e)(1)). In instances
when the consent of a parent or guardian is required for a minor to obtain substance abuse treatment,
a written consent for disclosure of confidential information must be given by both the minor and the
parent or guardian (Fla. Stat. 397.501(7)(e)(2)).
13. Location Data
In general, a person may not knowingly install a tracking device or application on another person's
property without the other person's consent (Fla. Stat. § 934.425(2)). The law defines a “tracking
application” to be a software program whose primary purpose is to track or identify the location or
movement of an individual, and defines a “tracking device” to be any device whose primary purpose is
to reveal its location or movement by the transmission of electronic signals (Fla. Stat. § 934.425(1)(b)-
(c)). Any prior consent is presumed to be revoked if the consenting person and the person to whom
consent was given were married and one party files for divorce, or if one party to the prior consent files
an injunction for protection against the other (Fla. Stat. § 934.425(3)). Exceptions apply for specified
law enforcement officers, tracking devices installed on the property of minor children or elderly or
disabled persons under certain circumstances, persons acting in good faith on behalf of a business
entity for a legitimate business purpose, and owners and lessees of a motor vehicle, provided that the
device or application is removed before a transfer of title or lease expiration, the new owner or lessee
consents to nonremoval, or the owner at the time of the installation was the original manufacturer (Fla.
Stat. § 934.425(4)). Violators are guilty of a second-degree misdemeanor (Fla. Stat. § 934.425(5)).
14. Other Personal Data
Trade secret information: A person who willfully, knowingly, and without authorization discloses
data, programs, or supporting documentation that meet the definition of a trade secret under Florida
law residing or existing internal or external to a computer, computer system, computer network, or
electronic device commits an offense against intellectual property (Fla. Stat. § 815.04(4)). An offense
against intellectual property is a third-degree felony, or a second-degree felony if committed for the
purposes of devising or executing a scheme or artifice to defraud or to obtain property (Fla. Stat.
§ 815.04(5)).
E. SECTOR-SPECIFIC PROVISIONS
1. Advertising & Marketing
Anti-spam law: The Florida Electronic Mail Communication Act is the state's anti-spam law and is
designed to protect the public and legitimate businesses from deceptive and unsolicited commercial e-
mail (Fla. Stat. § 668.60 et seq.).
General prohibition: Under the law, no person may initiate or assist in the transmission of an
unsolicited commercial e-mail message from a computer located in Florida or to an electronic e-mail
address held by a Florida resident that does any of the following:
• uses a third party's Internet domain name without permission of the third party;
• contains falsified or missing routing information or otherwise misrepresents or obscures any
information in identifying the point of origin or the transmission path of the unsolicited
commercial e-mail;
• contains false or misleading information in the subject line; or
• contains false or deceptive information in the body of the message that is designed to cause
damage to the receiving device of the addressee or of another recipient (but not including
messages resulting from a computer virus without the sender's knowledge or consent) (Fla.
Stat. § 668.603(1)).
In addition, a person may not distribute software or any other system designed to falsify missing
routing information identifying the point of origin or transmission path of a commercial e-mail (Fla. Stat.
§ 668.603(2)).

17
The law does not require providers of Internet access services to block, transmit, route, delay, handle,
or store certain types of e-mails, nor does it prohibit such providers from adopting a policy concerning
commercial or other e-mails, including a policy of declining to transmit certain types of message, and
enforcing such a policy (Fla. Stat. § 668.604).
Civil remedies: The Attorney General may bring a cause of action or impose a civil penalty (see
Section II.C.), and interactive computer services, telephone companies, and cable providers that
handle or retransmit commercial e-mail may also have a cause of action (see Section I.G.1.). A
violation of the provisions of the law is a criminal offense (see Section I.H.).
Federal preemption: It should be noted that the federal CAN-SPAM Act preempts state claims that are
not based on traditional tort theories of falsity and deception. 15 U.S.C. §7707(b)(1).
Right of publicity: No person may publish, display, or otherwise publicly use for purposes of trade or
any commercial or advertising purpose the name, portrait, photograph, or other likeness of a natural
person without the express written or oral consent of the person, a person authorized by that person to
license his name or likeness, or in the case of a deceased person, a person so authorized or, if none,
the deceased person's surviving spouse or children (Fla. Stat. § 540.08(1)). Exceptions apply for the
publication of a name or likeness (a) in a bona fide news presentation, (b) in connection with the
resale or other distribution of a literary, musical, or artistic production where the person consented to
the use in the initial sale, or (c) solely as a member of the public where the person is not otherwise
named or identified (Fla. Stat. § 540.08(4)).
Specific remedies are available to persons who have not given consent, and for members of the
armed services who have not given consent and are not subject to an exception (see Section I.G.4.).
A corollary provision prohibits any person from selling a photograph, drawing, or other visual
representation of a building or structure, the entry to which is subject to an admission fee, or using
such a representation in connection with the sale or advertising of a product or service, without the
express written consent or oral consent of the owner, unless the representation is for a bona fide news
report or the depiction of the property is incidental (Fla. Stat. § 540.09(1)-(2)). In addition, a person
may not use a tower or some other structure, to which the person charges admission, to allow
customers to look into or view a previously established tourist attraction that is also subject to an
admission fee, without the express written or oral consent of the owner or operator of the tourist
attraction (Fla. Stat. § 540.09(3)). Specific remedies are available (see Section I.G.4.).
Do-not-call: If a telephone subscriber asks the Department of Agriculture and Consumer Services to
add his number to the state's “no sales solicitation calls” list, the Department must place the subscriber
on the listing (Fla. Stat. § 501.059(3)(a)). No telephone solicitor may make an unsolicited telephonic
sales call to any number on the then-current quarterly listing published by the Department (Fla. Stat.
§ 501.059(4)). In addition, such solicitors may not initiate an outbound telephone call to a consumer or
donor who has previously communicated that he does not wish to receive a telephone call or text
message (Fla. Stat. § 501.059(5)). The Department must investigate any complaints received
concerning violations of the do-not-call provisions, and if an investigation finds that a violation has
been committed, the Department or the Attorney General may bring an action to impose civil penalties
or seek other relief (see Section II.C.).
FIPA: Businesses in the advertising and marketing sector that acquire, maintain, or store personal
information are considered “covered entities” and therefore are subject to the data security, data
disposal, and breach notification requirements of the Florida Information Protection Act (FIPA). For an
explanation of these provisions, see Section I.C.6. (data security), Section I.C.7. (data disposal), and
Section I.C.8. (breach notification).
2. Education
FERPA conforming provisions: The rights of students and their parents with respect to educational
records created, used, or maintained by public educational institutions and agencies are protected in
accordance with the federal Family Educational Rights and Privacy Act (FERPA; see 20 U.S.C.
§ 1232g) and state law (Fla. Stat. § 1002.22(2)). Under these provisions, students and their parents
have the right to access, inspect, and review their education records; the right to challenge the content

18
of such records in order to ensure their accuracy; the right to privacy with respect to the records; and
the right to receive annual notice of their rights (Fla. Stat. § 1002.22(2)(a)-(e)). A parent or student has
the right to bring an action in circuit court to challenge a violation by an official or employee of an
educational institution (Fla. Stat. § 1002.22(4); see Section I.G.4.).
Education records are confidential and exempt from Florida public records laws (Fla. Stat.
§ 1002.221(1)). An agency or institution may not release a student's education records without the
written consent of the student or parent except as permitted by FERPA or pursuant to a statutory
exception (Fla. Stat. § 1002.221(2); see also Fla. Stat. § 1002.222(1)(b)).
Agencies and institutions are prohibited from collecting, obtaining, or retaining information on the
political affiliation, voting history, religious affiliation, or biometric information of a student or a student's
parent or sibling (Fla. Stat. § 1002.222(1)(a); for additional information on biometric data, see Section
I.D.1.).
Public postsecondary educational institutions must comply with all FERPA requirements, and an
aggrieved student may bring an action to enforce his rights (Fla. Stat. § 1002.225; see Section I.G.4.).
FIPA: Businesses in the education sector that acquire, maintain, or store personal information are
considered “covered entities” and therefore are subject to the data security, data disposal, and breach
notification requirements of the Florida Information Protection Act (FIPA). For an explanation of these
notification).
Social security numbers: Schools must request a social security number (SSN) from an enrolling
student but may not make the provision of an SSN a condition for enrollment or graduation (see
Section I.D.10.).
3. Electronic Commerce
FIPA: Businesses operating in electronic commerce that acquire, maintain, or store personal
information are considered “covered entities” and therefore are subject to the data security, data
disposal, and breach notification requirements of the Florida Information Protection Act (FIPA). For an
explanation of these provisions, see Section I.C.6. (data security), Section I.C.7. (data disposal), and
Section I.C.8. (breach notification).
Account numbers prohibited on receipts: A merchant who accepts a credit card for payment may
not print more than the last five digits of a person's credit card number or the expiration date of the
card on any receipt provided to the cardholder (see Section I.D.4.).
4. Financial Services
FIPA: Businesses in the financial services sector that acquire, maintain, or store personal information
are considered “covered entities” and therefore are subject to the data security, data disposal, and
breach notification requirements of the Florida Information Protection Act (FIPA). For an explanation of
these provisions, see Section I.C.6. (data security), Section I.C.7. (data disposal), and Section I.C.8.
(breach notification).
Access to and disclosure of account information: Any depositor, borrower, member, or
stockholder has the right to inspect books and records of a financial institution pertaining to his
accounts or voting rights. In addition, the books and records pertaining to the accounts and loans of
such persons are confidential and may only be released upon express written authorization of the
account holder, unless a statutory exception applies (Fla. Stat. § 655.059(2)(a)-(b)). For more
information, see Section I.D.8.
Regulations on privacy of nonpublic personal financial information: The Division of Consumer
Services and the Office of Insurance Regulation, both part of the Florida Department of Financial
Services, have each adopted regulations generally conforming to model regulations issued by the
National Association of Insurance Commissioners concerning the privacy of nonpublic personal
financial information collected, maintained, and used by entities subject to the state's Insurance Code.
For a comprehensive discussion of these regulations, see Section I.E.7.

19
5. Health Care
FIPA: Businesses in the health care sector that acquire, maintain, or store personal information are
considered “covered entities” and therefore are subject to the data security, data disposal, and breach
notification requirements of the Florida Information Protection Act (FIPA). For an explanation of these
notification).
Regulations on privacy of nonpublic personal financial and health information: The Division of
Consumer Services and the Office of Insurance Regulation, each of which is part of the Florida
Department of Financial Services, have each adopted regulations generally conforming to model
regulations issued by the National Association of Insurance Commissioners concerning the privacy of
nonpublic personal health information collected, maintained, and used by entities subject to the state's
Insurance Code. For a comprehensive discussion of these requirements, see Section I.E.7.
Medical and payment record information: General access and disclosure requirements applicable
to medical and payment records and information apply to hospitals, physicians, and other health care
facilities and practitioners. In addition, the law contains requirements applicable to specific health care
practitioners and facilities. For information on these requirements, see Section I.D.9.
6. HR & Employment
Drug testing program: Employers that implement a drug-free workplace policy in accordance with
Florida law that includes notice, education, and procedural requirements may require an employee to
submit to a drug or alcohol test, and if drugs or alcohol are found in the employee's system at a level
prescribed by rule, the employer may terminate the employee and cause the employee to forfeit
eligibility for medical and indemnity benefits. The drug-free workplace program must require the
employer to notify all employees that it is a condition of employment to refrain from reporting to work or
working with the presence of drugs or alcohol in the employee's system and that, if an injured
employee refuses to submit to testing, the employee forfeits eligibility for medical and indemnity
benefits (Fla. Stat. § 440.101(2)).
An employer may test an employee or job applicant for any drug described under the law, but the law
does not create a legal duty on the part of an employer to conduct such testing (Fla. Stat.
§ 440.102(1)(c) and (2)). The statute specifies the elements of a drug-free workplace program,
including notice to employees and applicants, procedures and employee protection requirements,
confirmation testing, and confidentiality, among others (Fla. Stat. § 440.102(3)-(14)).
Medical records: Any medical records and medical reports of an injured employee and any
information identifying an injured employee in medical bills provided to the Department of Financial
Services for purposes of workers' compensation requirements are confidential and exempt from
Florida public records law, except as otherwise provided by law (Fla. Stat. § 440.125).
Electronic surveillance: For information on restrictions imposed on employers with respect to the
electronic surveillance of employees, see Section I.F.
Criminal background checks: For information on provisions prohibiting discrimination in hiring based
on a criminal background check, and requiring background checks with respect to certain types of
employment, see Section I.D.5.
References: An employer who discloses information about a former or current employee to a
prospective employer on the request either of the prospective employer or the former or current
employee is immune from civil liability with respect to the disclosure unless it is shown by clear and
convincing evidence that the information disclosed was knowingly false or violated any civil right of the
former or current employee protected under the state's civil rights law (Fla. Stat. § 768.095).
Restrictions on employer regulation of firearms: No public or private employer may prohibit a
customer, employee, or invitee from possessing any legally owned firearm that is lawfully possessed
and locked inside a private motor vehicle in a parking lot to which the person has legal access, or
inquire regarding the presence of a firearm or search the vehicle (Fla. Stat. § 790.251(1)(a)-(b)). In
addition, no employer may condition employment on the fact that an employee holds or does not hold

20
a license to carry a firearm or on an agreement that prohibits an employee from keeping a legal
firearm locked in the employee's vehicle (Fla. Stat. § 790.251(1)(c)).
No employer may prohibit a customer, employee, or invitee from entering the parking lot of the
employer's place of business based on the fact that the person's vehicle contains a properly concealed
firearm, and no employer may terminate an employee for exercising his right to keep and bear arms or
exercising a right to self-defense, provided the firearm is never exhibited on company property for any
reason other than lawful defensive purposes (Fla. Stat. § 790.251(1)(d)-(e)).
Exceptions apply to employers with respect to school properties; correctional institutions; nuclear-
powered electricity generation facilities; property on which substantial activities regarding national
defense, aerospace, and homeland security are conducted; property on which the primary business
involves combustible or explosive materials; motor vehicles owned or leased by a public or private
employer; or any other property on which firearms possession is otherwise prohibited by federal law or
contract or state law (Fla. Stat. § 790.251(7)).
The Attorney General has enforcement authority over these provisions (see Section II.C.), and a
private cause of action is available (see Section I.G.4.).
HIV/AIDS: No employer may require an individual to take an HIV/AIDS-related test as a condition of
hiring, promotion, or continued employment, or fail to hire, refuse to hire, or discharge any individual
on the basis of an HIV/AIDS-related test, unless the absence of HIV is a bona fide occupational
qualification for the job in question. The statute describes the burden of proof employers must meet to
satisfy the bona fide requirement (Fla. Stat. § 760.50(3)). A person aggrieved by a violation has a
private cause of action (see Section I.G.4.).
FIPA: Employers that acquire, maintain, or store personal information are considered “covered
entities” and therefore are subject to the data security, data disposal, and breach notification
requirements of the Florida Information Protection Act (FIPA). For an explanation of these provisions,
see Section I.C.6.. (data security), Section I.C.7. (data disposal), and Section I.C.8. (breach
notification).
7. Insurance
Regulations on privacy of nonpublic personal financial and health information: The Florida
Insurance Code specifically requires the Department of Financial Services and the Financial Service
Commission to adopt rules concerning the privacy of nonpublic personal financial and health
information collected, maintained, and used by entities subject to the state's Insurance Code (Fla.
Stat. § 626.9651). Pursuant to this requirement, the Division of Consumer Services and the Office of
Insurance Regulation, both part of the Department of Financial Services, have adopted essentially
identical regulations that generally conform to model regulations issued by the National Association of
Insurance Commissioners. The regulations from the Division of Consumer Services are at Fla. Admin.
Code Ann. r. § 69J-128.001, et seq. The regulations from the Office of Insurance Regulation are at
Fla. Admin. Code Ann. r. § 69O-128.001, et seq. The provisions are outlined in detail below.
Primary definitions: A “licensee” means all licensed insurers, producers, and other persons required to
be licensed, or authorized or required to be authorized, or registered or required to be registered
under the Florida Insurance Code (Fla. Admin. Code Ann. r. § 69J-128.002(16); Fla. Admin. Code
Ann. r. § 69O-128.002(16)). “Consumers” are generally defined to include individuals seeking to obtain
an insurance product or service from a licensee to be used primarily for personal, family, or household
purposes (Fla. Admin. Code Ann. r. § 69J-128.002(5); Fla. Admin. Code Ann. r. § 69O-128.002(5)),
while “customers” are consumers who have a continuing relationship with the licensee (Fla. Admin.
Code Ann. r. § 69J-128.002(8); Fla. Admin. Code Ann. r. § 69O-128.002(8)). The regulations provide
information regarding the determination of consumer status (Fla. Admin. Code Ann. r. § 69J-
128.002(5)(b); Fla. Admin. Code Ann. r. § 69O-128.002(5)(b)), as well as examples of a continuing
relationship with a customer (Fla. Admin. Code § 69J-128.002(9); Fla. Admin. Code Ann. r. § 69O-
128.002(9)).
“Nonpublic personal financial information” means personally identifiable financial information and any
list, description, or other grouping of consumers derived using any personally identifiable financial

21
information that is not publicly available, but does not include health information (Fla. Admin. Code
Ann. r. § 69J-128.002(19); Fla. Admin. Code Ann. r. § 69O-128.002(19)). The regulations provide
guidance on what constitutes a reasonable basis for determining that information is publicly available
(Fla. Admin. Code Ann. r. § 69J-128.002(22)(b); Fla. Admin. Code Ann. r. § 69O-128.002(22)(b)).
“Personally identifiable financial information” is any information provided by a consumer to a licensee,
any information about a customer from any transaction with the licensee, or information otherwise
obtained by the licensee, among other specified items (Fla. Admin. Code Ann. r. § 69J-128.002(21);
Fla. Admin. Code Ann. r. § 69O-128.002(21)).
“Health information” means any oral or recorded information created by or derived from a health care
provider or consumer, other than the individual's age or gender, relating to the individual's past or
future physical, mental, or behavioral health or condition, or the provision of or payment for health care
to the individual (Fla. Admin. Code Ann. r. § 69J-128.002(14); Fla. Admin. Code Ann. r. § 69O-
128.002(14)). “Nonpublic personal health information” is health information that identifies the subject
or for which there is a reasonable basis to believe that the information could be used to identify the
subject (Fla. Admin. Code Ann. r. § 69J-128.002(20); Fla. Admin. Code Ann. r. § 69O-128.002(20)).
Privacy and opt-out notices: Licensees must provide an initial notice to a customer no later than when
a customer relationship is established, or to a consumer before the licensee discloses nonpublic
personal financial information to any nonaffiliated third party (Fla. Admin. Code Ann. r. § 69J-
128.005(1); Fla. Admin. Code Ann. r. § 69O-128.005(1)). Initial notice to a consumer is not required if
the licensee does not disclose any information about the consumer to a nonaffiliated third party except
as allowed by the regulations, or if a notice has been provided by an affiliated entity that meets
regulatory requirements (Fla. Admin. Code Ann. r. § 69J-128.005(2); Fla. Admin. Code Ann. r. § 69O-
128.005(2)). With respect to existing customers buying new products, a licensee satisfies the notice
requirement if it provides a revised policy notice or if the initial notice previously given was accurate
with respect to the new product (Fla. Admin. Code Ann. r. § 69J-128.005(4); Fla. Admin. Code Ann. r.
§ 69O-128.005(4)). Certain exceptions apply when establishing the customer relationship is not at the
customer's election or when notice would substantially delay the transaction (Fla. Admin. Code Ann. r.
§ 69J-128.005(5); Fla. Admin. Code Ann. r. § 69O-128.005(5)).
With respect to opt-out notices, licensees must provide clear and conspicuous notice to consumers
that explain the right to opt out. The notice must state that the licensee discloses or reserves the right
to disclose nonpublic financial information about a consumer and that the consumer has the right to
opt out of the disclosure, together with a reasonable means by which the customer may opt out. The
regulation provides examples of adequate opt-out notices, and reasonable and unreasonable opt-out
means (Fla. Admin. Code Ann. r. § 69J-128.008(1); Fla. Admin. Code Ann. r. § 69O-128.008(1)). The
opt-out notice may be provided on the same form as the initial notice form, but if it is provided
subsequent to the initial notice, a copy of the initial notice must accompany the opt-out notice (Fla.
Admin. Code Ann. r. § 69J-128.008(2)-(3); Fla. Admin. Code Ann. r. § 69O-128.008(2)-(3)). Licensees
must comply with a consumer opt-out as soon as practicable after receiving it, and the consumer may
exercise the right at any time (Fla. Admin. Code Ann. r. § 69J-128.008(5)-(6); Fla. Admin. Code Ann. r.
§ 69O-128.008(5)-(6)). The opt-out is effective until the consumer revokes it. When a customer
relationship terminates, the licensee must continue to comply with any opt-out direction in effect at the
time of termination, but if a customer relationship is reestablished, the prior opt-out notice does not
apply to the new relationship (Fla. Admin. Code Ann. r. § 69J-128.008(7)); Fla. Admin. Code Ann. r.
§ 69O-128.008(7)).
In general, licensees must provide an annual privacy notice to customers, although they are not
required to provide annual notice to former customers (Fla. Admin. Code Ann. r. § 69J-128.006; Fla.
Admin. Code Ann. r. § 69O-128.006). The regulations specify the contents of privacy notices (Fla.
Admin. Code Ann. r. § 69J-128.007; Fla. Admin. Code Ann. r. § 69O-128.007), as well as
requirements for revising privacy notices (Fla. Admin. Code Ann. r. § 69J-128.009); Fla. Admin. Code
Ann. r. § 69O-128.009) and delivery of privacy notices (Fla. Admin. Code Ann. r. § 69J-128.010; Fla.
Admin. Code Ann. r. § 69O-128.010).
Limitations on disclosure of nonpublic personal financial information: A licensee may not disclose
nonpublic personal financial information about a consumer unless the licensee has provided an initial

Domestic Privacy Profile: Florida

Domestic Privacy Profile: Florida

Recommended

Recommended

More Related Content

Similar to Domestic Privacy Profile: Florida

Similar to Domestic Privacy Profile: Florida (20)

Recently uploaded

Recently uploaded (20)

Domestic Privacy Profile: Florida