Florida became the tenth state in the United States to approve a consumer privacy bill, SB 262, which goes into effect on July 1, 2024. Its passage on June 6, 2023 gave organizations slightly over a year to prepare for FDBR compliance.
Florida’s data privacy law is unique, asSB 262 was drafted with three main parts/goals:
- Florida Digital Bill of Rights, which covers consumer data privacy and security
- protection of children in online spaces
- prohibiting government-directed content moderation of social media platforms
What is the Florida Digital Bill of Rights (FDBR)?
The Florida Digital Bill of Rights (FDBR) is a state-level data privacy law that protects the digital privacy and personal data of over 21 million residents in Florida. It establishes data privacy requirements for businesses operating in the state or offering goods and services to Florida residents that process consumers’ personal data. Unlike other US state-level data privacy laws, it focuses on major tech companies, emerging consumer technologies, and online social media platforms. For this reason, it is considered more narrow in scope and less comprehensive than many of the recent US state-level privacy regulations passed.
Florida defines a consumer as someone who is a resident of or domiciled in the state and is acting on an individual or household basis rather than on a commercial or employment basis.
Florida follows an opt-out model like most other US state-level privacy laws, meaning that consumer consent isn’t required before data collection or processing in many cases. There are some exceptions when prior consumer consent is required, particularly when dealing with personal data belonging to a known child. Florida’s law differs from others by defining a child as anyone under 18, unlike the more common age limit of 13.
Businesses that fall under the scope of the Florida data privacy law must clearly inform consumers about their data collection and processing activities, outline consumer rights, and explain how to exercise those rights.
Definitions under the Florida Digital Bill of Rights
The FDBR is more detailed in defining key terms than some other recent US privacy laws.
Personal data and personal information under the FDBR
Personal data is defined as “any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.“
The definition excludes deidentified data or publicly available information.
The provisions of the FDBR that deal with the protection of children in online spaces define personal information separately as “information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child.”
Extension of the Florida Information Protection Act
Since 2014, the Florida Information Protection Act (FIPA) has defined and covered various forms of data, including electronic information stored by businesses. Its requirements for reasonable data security and breach reporting are fairly standard compared to more recent comprehensive privacy laws.
The FDBR broadens the definition of personal information under FIPA, which already covered Social Security numbers, financial details, and personal contact information, to now include biometric and geolocation data, among other emerging technologies.
Sensitive data under the FDBR
Sensitive data under the Florida privacy law includes categories of personal data that could cause harm if misused, including any of:
- racial or ethnic origin
- religious beliefs
- mental or physical health diagnosis
- sexual orientation
- citizenship or immigration status
- genetic or biometric data processed for the purpose of uniquely identifying an individual
- from a known child (under 18 years of age)
- precise geolocation data (to within 1,750 feet / 533.4 meters)
Consent under the FDBR
The FDBR defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative act.”
The Florida privacy law explicitly excludes the following conditions from valid consent:
- acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
- hovering over, muting, pausing, or closing a given piece of content
- agreement obtained through the use of dark patterns
- Florida’s privacy law also requires that consumers should be able to revoke their consent at any time.
Controller under the FDBR
The FDBR provides a more detailed definition of controller compared to most other regulations. This is largely because it includes numerous requirements, including compliance thresholds, directly into the definition itself, which is uncommon.
A controller under the FDBR is a sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:
- organized or operated for the profit or financial benefit of its shareholders or owners
- conducts business in Florida
- collects personal data about consumers, or is the entity on behalf of which such information is collected
- determines the purposes and means of processing personal data about consumers alone or jointly with others
- makes in excess of USD 1 billion in global gross annual revenue
The entity must also satisfy at least one of the following:
- derive 50 percent or more of its global gross annual revenue from the sale of advertisements online, including providing targeted advertising or the sale of ads online
- operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation
- the law specifies that a consumer smart speaker and voice command component service does not include a motor vehicle, speaker, or device associated with or connected to a vehicle which is operated by a motor vehicle manufacturer or its subsidiary or affiliate
- operate an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install
Processor under the FDBR
A controller may share personal data for processing purposes with a third party, known under the law as a processor or “a person who processes personal data on behalf of a controller.”
Sale of personal data under the FDBR
The Florida data privacy law defines sale as “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.”
It excludes disclosure of personal data:
- to a processor who processes the personal data on the controller’s behalf
- to a third party for purposes of providing a product or service requested by the consumer
- that the consumer:
- intentionally made available to the general public through a mass media channel and did not restrict to a specific audience
- to a third party as an asset that is part of a merger or an acquisition, including transfer of such personal data
Targeted advertising under the FDBR
The FDBR defines targeted advertising as “displaying to a consumer an advertisement selected based on personal data obtained from that consumer’s activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer’s preferences or interests.”
The definition excludes ads that are:
- based on the consumer’s activities within a controller’s own internet websites or apps
- directed to a consumer’s search query on the controller’s own website or online app in response to the consumer’s request for information or feedback
Surveillance under the FDBR
Surveillance includes the use of assorted technologies, specifically “a device that has a voice recognition feature, a facial recognition feature, a video recording feature, an audio recording feature, or any other electronic, visual, thermal, or olfactory feature that collects data may not use those features for the purpose of surveillance by the controller, processor, or affiliate of a controller or processor when such features are not in active use by the consumer, unless otherwise expressly authorized by the consumer.”
The FDBR does not specifically include a definition of surveillance, and the absence of a legal definition could complicate matters for tech companies whose products rely on increasingly common “smart” technologies. Without a clear definition, drafting consumer privacy and consent notices could become legally challenging.
Who has to comply with the Florida Digital Bill of Rights?
The FDBR applies to businesses that operate in Florida or offer products and services specifically aimed at Florida residents and collect or process consumers’ personal data. As outlined in the definition of “controller,” the regulation’s compliance requirements differ somewhat from many other US state-level privacy laws.
A business must comply with the FDBR if it:
- makes more than USD 1 billion in global gross annual revenue
and satisfies at least one of the following:
- derives 50 percent or more of its global gross annual revenue from the sale of advertisements online, including providing targeted advertising or the sale of ads online
- operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation
- consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof
- operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install
Notably, the FDBR sets a revenue threshold at USD 1 billion in global gross annual revenue, clearly targeting larger corporations. In comparison, other states like California have set the bar much lower, with the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) requiring compliance at just USD 25 million in gross annual revenue. Meanwhile, newer laws like the Tennessee Information Protection Act (TIPA) and New Jersey Data Privacy Act (NJDPA) have no revenue-only threshold.
Currently, fewer than 6,000 businesses operating in Florida surpass the USD 1 billion revenue mark. When factoring in additional criteria, the number of companies required to comply would decrease even more.
The law also includes specific provisions that seem to home in on major tech companies involved in digital advertising, smart speaker technologies, voice commands, and digital distribution platforms. Such rules are unique to Florida and would affect companies like Apple and Alphabet (Google), which provide these technologies and manage major app stores.
Exemptions to Florida Digital Bill of Rights compliance
The Florida data privacy law exempts certain institutions from complying, including:
- state government agencies
- financial institutions (also entities and affiliates subject to the Gramm-Leach-Bliley Act)
- insurance companies
- postsecondary education institutions
- nonprofit organizations
Data-related exemptions include:
- health records
- data used to provide financial services
- research data for human subjects covered by federal laws or standards
- data processed or maintained for employment purposes
- data created for or collected in pursuance to several federal laws
The exemptions to the Florida data privacy law are largely in line with those of other US data privacy regulations, mainly deferring to existing federal laws, including:
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act
- Patient Safety and Quality Improvement Act
- Fair Credit Reporting Act
- Children’s Online Privacy Protection Act (COPPA)
- Family Educational Rights and Privacy Act
- Driver’s Privacy Protection Act
- Farm Credit Act
- Airline Deregulation Act
Consumers’ rights under the Florida Digital Bill of Rights
Consumers have several rights under the Florida data privacy law, in line with rights granted in other global and US data privacy regulations.
- Right to access: consumers can confirm if the controller is processing their personal data and access that data, with certain exceptions
- Right to correction: consumers can request that inaccurate data the controller has is corrected, taking into account the nature of the personal data and the purposes of its processing
- Right to delete: consumers can request the deletion of any personal data the controller has about or from the consumer, with certain exceptions
- Right to portability: consumers have the right to obtain a copy of their personal data in a readily usable format, with some exceptions
- Right to opt out: consumers can opt out of:
- the processing of their personal data for sale, targeted advertising, certain profiling “in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer”
- the collection or processing of sensitive data, including precise geolocation data
- the collection of personal data through the operation of a voice recognition or facial recognition feature
Parents or legal guardians can exercise these rights on behalf of their children.
The FDBR does not grant a private right of action, which would allow consumers to directly sue violators. An earlier data privacy bill in the state, which didn’t pass in 2021, did include this option. California is currently the only US data privacy law that gives consumers this right.
Controllers’ obligations under the Florida Digital Bill of Rights
The Florida privacy law tasks controllers with several responsibilities to protect consumers’ personal data.
Consumer rights requests under the FDBR
Controllers must notify consumers of:
- their rights regarding their personal data
- how consumers can exercise those rights, including contact information
- procedure for appealing against the controller’s decision (e.g. rejection of a consumer’s request)
This information is typically outlined in a privacy policy or privacy notice. Such requests are often called data subject requests (DSR) or data subject access requests (DSAR).
Controllers must establish at least two secure, reliable, and easily accessible methods for consumers to exercise their rights under the FDBR. While consumers can be asked to log in to an existing account for identity verification, they must not be required to create a new account just to exercise their rights.
If the controller operates a website, a direct option for consumers to exercise their rights must be available on that platform. Controllers that operate exclusively online and have collected the personal data directly from consumers can provide an email address for consumers to submit requests and exercise their rights.
The controller has 45 days from the date of receipt to respond to an authenticated consumer request. They can decline to act on the request for specific reasons, such as not being able to reasonably verify the consumer’s identity or if the consumer submits an excessive number of requests within a 12-month period.
If extenuating circumstances prevent fulfilling the request within the 45-day period, the controller can extend the response period by 15 days, with prior notification to the consumer.
Controllers must let the consumer know within 60 days if their request has been fulfilled. If a request is denied, consumers can appeal the decision, and the controller must provide information on how to proceed with the appeal. The controller has 60 days to respond to the appeal.
Privacy notice under the FDBR
Controllers must publish a privacy notice detailing:
- categories of personal data processed, including sensitive data, if any
- purpose(s) for processing personal data
- methods for consumers to exercise their rights and appeal a controller’s decision
- categories of personal data shared with third parties, if any
- categories of third parties receiving personal data, if any
- how consumers can opt out of the sale of personal data to third parties or processing of personal data for targeted advertising or profiling
This information should be “reasonably accessible” to consumers, typically presented as a privacy policy on the business’s website.
If a controller sells sensitive personal data, they must also include a notice with the exact wording: “NOTICE: This website may sell your sensitive personal data” or “NOTICE: This website may sell your biometric personal data” depending on the type of data sold.
The privacy notice must be updated annually under the regulation.
Purpose limitation under the FDBR
Controllers are permitted to process personal data for the purpose(s) communicated to consumers, provided that the processing remains “adequate, relevant, and reasonably necessary” while being proportional to those purposes.
Data security under the FDBR
Controllers are duty bound to protect personal data. They must establish, implement, and maintain reasonable administrative, technical, and physical security measures that are appropriate to the nature and volume of personal information being processed.
Data protection assessments (DPA) under the FDBR
The Florida data privacy law requires controllers to conduct and document data protection assessments when they process personal data:
- for targeted advertising
- for sale
- categorized as sensitive personal data
- for profiling that poses a foreseeable risk of unfair or deceptive treatment or unlawful impact on consumers; financial, physical or reputational injury; offensive intrusion into consumers’ private affairs; or other substantial injury
- that presents a heightened risk of harm to consumers
The Attorney General can request a DPA from a controller, usually as part of an investigation into potential violations.
Consent requirements under the FDBR
Like many other US states with consumer privacy laws, Florida operates on an opt-out model, meaning user consent isn’t required before collecting and processing personal data in many instances. However, obtaining consent is mandatory before handling sensitive personal data.
Consumers must receive clear notice about data processing and be able to opt out of the sale of personal data, its use for targeted advertising or profiling, or data collection involving facial or voice recognition technologies.
Regarding minors, the FDBR follows the federal Children’s Online Privacy Protection Act (COPPA). It mandates obtaining consent from a parent or legal guardian before processing any personal data of a known child. Under the Florida privacy law, all personal data belonging to children under 18 is considered sensitive by default. By expanding protection to those under 18, the FDBR emphasizes safeguarding children’s personal information until they become legal adults.
Nondiscrimination under the FDBR
Controllers must not unlawfully discriminate against consumers or process personal data in violation of state or federal anti-discrimination laws. They also cannot discriminate against consumers for exercising their rights. For example, consumers can’t be denied access to a website just because they’ve opted out of personal data collection.
However, some website features may require certain trackers to function correctly. If consumers choose not to allow these trackers because they collect personal data, the site might not work optimally, which is not considered discriminatory.
Controllers can offer voluntary incentives, such as discounts for consumers who participate in activities like loyalty programs or newsletter subscriptions, where personal data is collected and processed. Such incentives should be reasonable and proportionate to the data collected, since regulators disapprove of disproportionate rewards that may appear to be bribes.
Data processing agreements under the FDBR
The Florida data privacy law requires controllers to enter into contracts with processors to outline data processing procedures. Although the regulation doesn’t explicitly call this a “data processing agreement,” it’s similar to agreements required by other privacy regulations like the General Data Protection Regulation (GDPR) and the Virginia Consumer Data Protection Act (VCDPA).
These contracts are crucial since the controller is ultimately liable for processing activities or privacy breaches caused by a third-party processor’s actions.
The contract should include details on:
- instructions for processing data
- nature and purpose of data processing
- type of data being processed
- duration of processing
- rights and obligations of both parties
- duty of confidentiality
Processors are also required to assist controllers in meeting their duties under the Florida data privacy law that relate to security, transparency, retention, deletion, assessment, and reporting.
Enforcement of the Florida Digital Bill of Rights
The Attorney General of Florida and the Department of Legal Affairs have exclusive authority to enforce the FDBR. While the law doesn’t grant consumers a private right of action, they can report suspected violations or complaints about denied requests to the Attorney General’s office. The Attorney General must give written notice to the accused parties, detailing the alleged violations.
Similar to the Colorado Privacy Act (CPA), violations of the FDBR are treated as deceptive trade practices.
After the Attorney General notifies an organization of violations in writing, a 45-day cure period may be granted for the organization to address the issues and implement measures to prevent them recurring without facing penalties.
If the issues are resolved or cured to the Attorney General’s satisfaction and the organization provides written confirmation, financial penalties will likely be avoided. However, the organization might receive a guidance letter indicating that future violations won’t qualify for another cure period.
The cure period doesn’t apply if a violation involves a known child. The Department of Legal Affairs will also evaluate factors like the number and seriousness of violations before deciding whether to allow a cure period.
Cure periods in other state-level privacy laws typically range from 30 to 90 days. Unlike some of these other laws, the FDBR does not include a provision to sunset the cure period after a year or two.
Fines and penalties under the FDBR
If a controller or its data processors remain in violation after the cure period or after submitting their written statement, the Attorney General may launch an investigation and impose fines of up to USD 50,000 per violation. These penalties can be tripled if:
- the violation involves a known child
- a controller doesn’t delete personal data after receiving a verified consumer request (or a processor ignores a controller’s instructions to do so)
- a controller continues to sell or share a consumer’s personal data after the consumer exercises their opt-out rights
Prohibition of government censorship under Florida Privacy Law
The FDBR includes a new section that addresses social media, stipulating that government entities cannot request the removal of content or user accounts from social media platforms unless the content or account is used to commit a crime or violates Florida public records law.
This restriction might allow individuals to use social media to share content that could potentially conflict with other state-level laws, such as the Parental Rights in Education Law.
The definition of “social media platform” is broad and covers “a form of electronic communication through which users create online communities or groups to share information, ideas, personal messages, and other content.” This broad definition could lead to some legal challenges.
Protection of children under the Florida Privacy Law
The FDBR provides more detailed information and requirements for protecting children online than other US data privacy laws. The law triples financial penalties for violations involving known children.
The regulation’s definition of “substantial harm or privacy risk to children” includes several examples of potential harm and specifies ways children’s data cannot be collected or used. Additionally, it includes specific prohibitions for any “online platform that provides an online service, product, game, or feature likely to be predominantly accessed by children”.
The Florida Digital Bill of Rights and consent management
Florida’s consumer privacy law requires prior consent only for processing sensitive personal data and children’s data. Penalties for knowingly processing children’s data without prior consent are triple the standard penalty under the law.
Consumers must have the option to opt out of the collection and processing of their personal data for purposes like sale, targeted advertising, or profiling. This information should be available on the website, often in the privacy notice or privacy policy. Penalties for not respecting valid opt-out requests can also be tripled.
The opt-out mechanism can be presented as a cookie banner, usually as a link or button. A consent management platform (CMP) can help automate the detection of cookies and other tracking technologies on websites and apps.
Using a CMP simplifies the process of gathering and sharing mandatory information with consumers about data categories, services used by the controller or processor(s), and third parties with whom data is shared. Florida’s privacy law and many other data protection regulations worldwide require a similar notification.
The United States does not have a unified federal data privacy law, though legislation has been tabled several times. For the time being, businesses operating nationwide and internationally may need to comply with multiple consumer privacy laws. CMPs can enable businesses to display customized banners to users based on the legal requirements of their location.
This will enable companies to achieve FDBR compliance, as well as other current and upcoming regulations across the United States. For companies doing business internationally, using a consent management platform also enables compliance with regulations like the European Union’s GDPR, which has more strict consent management requirements than the laws in the US.
This approach can enable compliance with the FDBR and other existing or upcoming laws across the US, as well as with global regulations like the European Union’s GDPR.
Preparing for the Florida Digital Bill of Rights
Organizations operating in Florida have until July 1, 2024, to prepare for compliance with the Florida data privacy law. Those already meeting other US state-level data privacy regulations, such as the Connecticut Data Privacy Act (CTDPA), will have completed much of the groundwork for compliance with the Florida regulation. However, it’s important to focus on Florida’s specific differences, particularly regarding children’s protection, government censorship, and compliance thresholds. Because of the high revenue threshold, many organizations will be exempt, however, some of the law’s requirements provide best practices for any company, which is beneficial for data security and building trust with customers.
A privacy by design strategy will be beneficial across organizations, whether for regulatory compliance or other reasons. Compliance with the FDBR involves understanding its specific requirements and providing users with the required information, accessible privacy notice, and opt-out options. Solutions like the Cookiebot CMP can help with managing cookie and tracking notification, providing users with information about the ones in use in the consent banner.
Achieve compliance with Cookiebot CMP – implement FDBR-specific settings on your cookie banner
The FDBR is in its initial version, and, as technology and consumer expectations evolve, may undergo updates over time. Since the FDBR lacks a private right of action, consumer class-action lawsuits won’t influence future amendments like in California. Instead, case law will likely provide clarity, especially concerning newer technologies like facial and voice recognition, audio recording, or social media platform operation.
Consulting qualified legal counsel or your organization’s data privacy expert, such as a Data Protection Officer, is advisable to ensure you’re meeting compliance obligations.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.