(1) A person who meets the requirements of s. 501.702(9)(a)1.-3. for the definition of a controller may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer or, if the sensitive data is of a known child, without processing that data with the affirmative authorization for such processing by a known child who is between 13 and 18 years of age or in accordance with the Children’s Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child under the age of 13. (2) A person in subsection (1) who engages in the sale of personal data that is sensitive data must provide the following notice: “NOTICE: This website may sell your sensitive personal data.”
(3) A person who violates this section is subject to the penalty imposed under s. 501.72. 
