Fla. Admin. Code Ann. R. 2-3.004 - Florida Digital Bill of Rights - Standards for Authenticated Consumer Requests

(1) Authentication - Upon receipt of a request to exercise consumer's rights pursuant to Section 501.705, F.S., and prior to taking any action thereon or providing any response thereto, a controller shall use a commercially reasonable method to authenticate the consumer. In the event a person submits a request on behalf of another consumer, the controller shall use a commercially reasonable method to authenticate the person and determine whether the requestor is an authorized person who is entitled to submit the request on the consumer's behalf.

(a) To determine whether a method of authentication is commercially reasonable, the controller shall consider:

1. The rights the requestor is seeking to exercise;

2. The type, sensitivity, value and volume of personal data at issue;

3. The degree of possible harm that could be suffered by the consumer in the event of improper access, use or deletion of their personal data; and

4. The cost to the controller for completing the authentication method.

(b) A controller shall avoid requesting additional personal data from a consumer or authorized person for the purpose of authentication. If the controller cannot authenticate the consumer or the authorized person's authority to act on the consumer's behalf, the controller may request additional information from the person submitting the request, which shall only be used for the purpose of completing the authentication. The controller shall immediately delete the newly obtained, additional data upon completion of the authentication process.

(c) A controller shall not require either a consumer, or an authorized person to pay a fee to either the controller, or any third party, for the purpose of authenticating either the person submitting the request, or their authority to submit the request.

(d) Authentication of Consumers Holding Password-Protected Accounts -

1. Where a consumer holds a password-protected account with the controller, the controller shall authenticate a consumer through the existing authentication method for the consumer's account.

2. A controller shall not require a consumer to create a new password-protected account to facilitate any form of authentication.

3. A controller shall implement effective security measures to detect and prevent fraudulent authentication activity.

4. In the event the controller detects potentially fraudulent or malicious authentication activity by or from the password-protected account, the controller shall:

a. Notify the consumer of the activity as soon as practicable;

b. Attempt to authenticate the consumer using commercially reasonable means as described in Section 1(a)-(c); and

c. Refrain from complying with or responding to the request as described in Section 501.706, F.S., until and unless the consumer can be authenticated.

(e) Where a consumer elects to appeal the controller's refusal to take action on a request pursuant to Section 501.707, F.S., and the appeal was requested by a person other than the person who submitted the original request, the controller shall authenticate the person requesting the appeal utilizing the same commercially reasonable authentication method established under Section 1(a)-(d).

Notes

Fla. Admin. Code Ann. R. 2-3.004

Rulemaking Authority 501.72(5), F.S. Law Implemented 501.72(5), F.S.

Adopted by Florida Register Volume 50, Number 129, July 2, 2024 effective 7/18/2024.