Florida was the tenth state in the United States to pass a consumer privacy bill, SB 262<\/a>, with an effective date of July 1, 2024. It\u2019s the fifth of six states to pass a privacy law in 2023. As of June 6, 2023, when the bill was passed, organizations have just over a year to prepare for FDBR compliance.<\/p>\n Passage of comprehensive state-level privacy laws is gaining momentum in the United States in 2023, with Iowa, Indiana, Tennessee, Montana, Florida, and Texas all passing laws between March and June.<\/p>\n The data privacy law passed in Florida differs in a number of respects from the other comprehensive state privacy laws passed in the US, with a focus on child protection, social media, and technology regulation. Several aspects, including compliance thresholds, appear to particularly target big tech companies. A federal data privacy law in the US has not been passed to date.<\/p>\n\n\n The Florida Digital Bill of Rights (FDBR)<\/a> protects the digital privacy and personal data rights of Florida\u2019s more than 21 million residents, and establishes data privacy responsibilities for companies doing business in the state or providing goods or services targeting Florida residents. In the course of doing business these organizations process consumers\u2019 personal information. This law is a bit different from others passed in the US to date, however, with its focus on large tech companies, newer consumer technologies, and online social media platforms.<\/p>\n Like other states with data privacy laws, Florida defines a consumer as a resident of or person living in the state who is acting in an individual or household context and not in a commercial or employment context.<\/p>\n Like all the other comprehensive data privacy regulations passed in the US to date, the FDBR uses an opt-out model. Data subject consent is not required prior to data collection or processing in many cases. Businesses that are required to comply with the Florida privacy law must inform consumers about what data collection and processing they perform, what consumers\u2019 rights are, and how to exercise them.<\/p>\n Notifications need to include what data is collected, for what purposes, third parties with whom the data is shared, etc. Businesses must provide consumers with ways to opt out of data collection and processing for several purposes: sale, targeted advertising, or profiling. Organizations (controllers) and any third parties they engage for data processing (processors) must also implement reasonable security and protections.<\/p>\n For a few personal data uses, consumer consent does have to be obtained before data collection or processing. This includes personal data categorized as sensitive or data belonging to a known child. The Florida law differs from other states\u2019 laws in that the definition of a child applies to anyone under age 18, not under age 13, which is more common.<\/p>\n Personal information \/ personal data<\/strong><\/p>\n The FDBR includes definitions of both personal information and personal data. The definition of personal data has a specific purpose referencing children: \u201cinformation that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child<\/em>\u201d.<\/p>\n The definition of personal data is a bit more detailed than in other US privacy laws: \u201cany information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.<\/em>\u201d<\/p>\n The detail about use of pseudonymous or anonymized data<\/a> in conjunction with other information to identify someone is interesting to note, especially as the definition also mentions that deidentified data \u2014 presumably which cannot be used to identify anyone \u2014 is not included.<\/p>\n Extension of the Florida Information Protection Act<\/strong><\/p>\n Florida has had the Florida Information Protection Act (FIPA)<\/a> in effect since 2014, which defines and covers various kinds of data, including electronic information that commercial entities may store. That Act\u2019s requirements are fairly standard compared to the newer comprehensive data privacy laws in requirements for reasonable data protection, breach reporting, etc.<\/p>\n The FDBR expands FIPA\u2019s definition of personal information, which already included standard examples like Social Security numbers, financial information, and personal contact information, to include newer technologies like biometric or geolocation data.<\/p>\n Consent<\/strong><\/p>\n The European Union\u2019s General Data Protection Regulation (GDPR)<\/a> set the standard for defining consent, which has been followed by many regulations passed since.<\/p>\n Under the FDBR, consent is defined as: \u201ca clear affirmative act signifying a consumer\u2019s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative act.<\/em>\u201d<\/p>\n The Florida law, like Montana\u2019s Consumer Data Privacy Act (MTCDPA)<\/a>, explicitly excludes these conditions from validly obtained consent, which are all in line with GDPR and other laws\u2019 requirements for consent to be \u201cfreely given, specific, informed and unambiguous\u201d:<\/p>\n Florida\u2019s privacy law, like Connecticut\u2019s CTDPA<\/a> and Montana\u2019s MTCDPA, includes a requirement for consumers to be able to revoke their consent at any time.<\/p>\n Sensitive data \/ sensitive personal information<\/strong><\/p>\n This definition covers more specific categories of personal information, particularly that which could cause harm if misused, including any of the following revealing:<\/p>\n Controller<\/strong><\/p>\n The definition of controller is considerably longer and more detailed in Florida\u2019s law than in most. This is due to the number of requirements, and also because elements like compliance thresholds are built into the definition, which is unusual.<\/p>\n To be defined as a controller an entity must meet the following requirements:<\/p>\n The entity must also satisfy at least one of the following:<\/p>\n Processor<\/strong><\/p>\n For businesses that share personal data for processing purposes, the business will be the controller and the third-party entity will be the processor, defined in the Florida privacy bill as \u201ca person who processes personal data on behalf of a controller.<\/em>\u201d<\/p>\n Sale of personal data<\/strong><\/p>\n This is defined as \u201cthe sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party<\/em>.\u201d<\/p>\n Disclosure of personal data to any of the following is not considered a sale:<\/p>\n <\/li>\n<\/ul>\n Targeted advertising<\/strong><\/p>\n Refers to \u201cdisplaying to a consumer an advertisement selected based on personal data obtained from that consumer\u2019s activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer\u2019s preferences or interests.<\/em>\u201d<\/p>\n The term does not include ads that are \u201cbased on the context of a consumer\u2019s current search query on the controller\u2019s own website or online application, or directed to a consumer search query on the controller\u2019s own website or online application in response to the consumer\u2019s request for information or feedback.<\/em>\u201d<\/p>\n Surveillance<\/strong><\/p>\n Surveillance is referenced regarding the use of assorted technologies, specifically: \u201ca device that has a voice recognition feature, a facial recognition feature, a video recording feature, an audio recording feature, or any other electronic, visual, thermal, or olfactory feature that collects data may not use those features for the purpose of surveillance<\/strong> by the controller, processor, or affiliate of a controller or processor when such features are not in active use by the consumer, unless otherwise expressly authorized by the consumer.<\/em>\u201d<\/p>\n However, the FDBR does not specifically include a definition of \u201csurveillance\u201d. This may be legally tricky for tech companies with products using these increasingly common \u201csmart\u201d technologies if and when they need to draft consumer privacy and consent notices.<\/p>\n\n\n The FDBR applies to organizations conducting business in Florida, and any business that offers products or services targeted to Florida residents. As noted under the \u201ccontroller\u201d definition, the compliance requirements are a bit different and in some ways more targeted than many other US data privacy laws.<\/p>\n Organizations have to comply with the FDBR if they:<\/p>\n and at least one of:<\/p>\n Of particular note here is the inclusion of US $1 billion in gross annual revenue as a threshold. This clearly targets larger companies, as other states\u2019 data privacy laws that include a revenue threshold, like the California Privacy Rights Act (CPRA)<\/a>, set the threshold at only US $25 million. A number of the more recently passed laws, like Tennessee\u2019s Information Protection Act (TIPA)<\/a>, have no revenue-only threshold for compliance.<\/p>\n There are currently fewer than 6,000 businesses operating in Florida that meet the more than US $1 billion revenue threshold. Add in any of the other criteria and the number of organizations needing to comply would shrink even further.<\/p>\n Other line items also appear to target certain large tech companies that earn their revenue from ad sales, operate smart speakers or tech incorporating voice commands, and operate app stores or other digital distribution platforms. These requirements are not included in any other US state privacy law, and would apply to companies like Apple and Google that offer those technologies and run popular app stores.<\/p>\n The exemptions in the Florida data protection law are fairly consistent with the other existing US data privacy laws, deferring mainly to existing federal laws, including:<\/p>\n Other exemptions include HR data, health records, data for providing financial services, research data for human subjects that are covered by other federal laws or standards, and data that is processed or maintained for employment-related purposes.<\/p>\n Exempted institutions include:<\/p>\n Consumers have a number of rights under the new digital bill:<\/p>\n <\/li>\n<\/ul>\n Parents or guardians can exercise these rights on behalf of children. Like all other US data privacy laws except California\u2019s, the Florida Digital Bill of Rights does not enable private right of action, which would allow consumers to sue violators. Interestingly, a previous data privacy bill in Florida that failed in 2021 did include private right of action.<\/p>\n\n\n Controllers must notify consumers of their rights and ways that consumers can exercise those rights by submitting a verifiable request to the company. Controllers must supply at least two means of contact that are secure and consistent with normal ways in which consumers would contact the organization. The controller must also include clear information on how to exercise consumer rights in their privacy notice or policy page on their website.<\/p>\n After a consumer\u2019s authenticated request is received, the controller has 45 days to respond. There are some limited reasons that they can decline to act on the request, including if the consumer\u2019s identity cannot be reasonably verified or if the consumer submits an excessive number of requests in a 12-month period.<\/p>\n If there are extenuating circumstances preventing fulfilling a consumer request, once the consumer has been notified that response period can be extended by 15 days if reasonably necessary. Controllers must inform consumers within 60 days of receiving a request to notify them that it has been fulfilled.<\/p>\n If a controller denies a request, the consumer can appeal such a decision, and the controller has to provide information on how to do so. The controller has 60 days to respond to appeals.<\/p>\n Purpose limitation<\/strong><\/p>\n Controllers can process personal data for the purpose(s) that they have communicated, as long as the processing is \u201cadequate, relevant, and reasonably necessary<\/em>\u201d and proportional to those purposes.<\/p>\n Data security<\/strong><\/p>\n Controllers must protect personal data by establishing, implementing and maintaining reasonable administrative, technical, and physical security measures. These measures should be appropriate to the nature and volume of personal information being processed.<\/p>\n Data protection assessments (DPA)<\/strong><\/p>\n Controllers must conduct and document data protection assessments when they process information:<\/p>\n The Attorney General can request a DPA from a controller, typically for the purposes of investigating an alleged violation.<\/p>\n Consent requirements<\/strong><\/p>\n Like other US states that have passed privacy laws, Florida uses an opt-out model, so user consent is not required before collecting and processing personal data in many cases. The exception is that consent must be obtained before collecting or processing sensitive personal data. Consumers must be given clear notice about processing and be able to opt out of sale, targeted advertising, profiling, or data collection via face or voice recognition.<\/p>\n Where children are concerned, the FDBR follows the federal Children\u2019s Online Privacy Protection Act (COPPA)<\/a>. Consent from any known child\u2019s parent or guardian must be obtained before processing any personal data of any user known to be a child. This would include all children\u2019s personal data, as under Florida\u2019s data privacy regulation data of children under 18 is classified as sensitive by default. The FDBR pays particular attention to the protection of children, so has expanded the age range up to when children become legal adults.<\/p>\n Nondiscrimination<\/strong><\/p>\n Controllers are prohibited from unlawful discrimination against consumers, and from processing personal data if doing so is in violation of state or federal laws governing discrimination. Controllers cannot discriminate against consumers for exercising their rights. For example, a consumer cannot be blocked from accessing a website if they opt out of allowing personal information collection.<\/p>\n However, there are often website features or functions that will not work without certain trackers being active, so if a consumer does not opt in to their use because they collect personal information, the site may not work optimally. This is not discriminatory.<\/p>\n Controllers can offer voluntary incentives like discounts for consumers\u2019 voluntary participation in operations like an organization\u2019s loyalty program or signing up for a newsletter, where these operations collect and process personal data. Such offers have to be reasonable, as data protection authorities tend to frown on disproportionate incentives as they start to look like bribes.<\/p>\n Transparency<\/strong><\/p>\n Controllers must provide consumers with clear and accessible information about data processing. Commonly this appears on the company\u2019s website in a privacy notice or policy. Under the FDBR, this information must include:<\/p>\n Third party contracts<\/strong><\/p>\n Controllers must have contracts in place with third-party processors (service providers) with clear information about:<\/p>\n Universal opt-out signal<\/strong><\/p>\n The Florida Digital Bill of Rights, like some other state-level data privacy laws, including Indiana\u2019s Consumer Data Protection Act (Indiana CDPA)<\/a> and Tennessee\u2019s, does not reference the Global Privacy Control<\/a> (GPC) \u201cuniversal opt-out\u201d or similar mechanism.<\/p>\n The GPC is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences. These settings can then be communicated to all websites or apps that consumers visit, so users don\u2019t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.<\/p>\n\n\n In Florida, the Attorney General and the Department of Legal Affairs have exclusive enforcement authority for the FDBR. As noted, the law does not provide consumers with private right of action, but they can report alleged violations or complaints about denial of requests to the Attorney General\u2019s office. The Attorney General must provide parties with alleged violations against them with written notice that lists the violations.<\/p>\n As with the Colorado Privacy Act (CPA)<\/a>, violations of the FDBR are considered deceptive trade practices.<\/p>\n After being notified by the Attorney General in writing, a 45-day cure period may be granted when organizations can fix issues and take steps to prevent recurrence, without suffering penalties. If the organization does \u201ccure\u201d issues to the Attorney General\u2019s satisfaction and provides written notification, while they may not be financially penalized, they may receive a letter of guidance stating that they will not receive a cure period for any future violation.<\/p>\n If a violation involves a known child, the cure period does not apply. The Department of Legal Affairs will also consider conditions like the number and severity of violations before deciding if a cure period will be allowed.<\/p>\n Cure periods in other state-level data privacy laws range from 30 to 90 days. The Florida Digital Bill of Rights does not include any provision to sunset the cure period after a year or two, as some other states\u2019 data privacy laws do.<\/p>\n If the controller or any of their data processors are still in violation after the cure period, or after submitting their statement, the Attorney General can initiate investigative actions and levy penalties of up to US $50,000 per violation. Penalties can be tripled if:<\/p>\n Under the new section of the statutes, the FDBR is also a social media law, dictating that no government entity can request that a social media platform remove content or user accounts unless the content or account is used to commit a crime or otherwise violates Florida public records law.<\/p>\n This prohibition could make it possible to use online social media platforms to promote content that could be considered to violate other state-level content restriction laws like the Parental Rights in Education Law<\/a>.<\/p>\n The definition of \u201csocial media platform\u201d is also quite broad: \u201ca form of electronic communication through which users create online communities or groups to share information, ideas, personal messages, and other content.<\/em>\u201d This could also create some legal quandaries in practice.<\/p>\n\n\n The FDBR includes more specific information about children and requirements for protecting them, particularly online, than other US data privacy laws. In addition to defining children as anyone up to age 18, the law triples the potential financial penalties for violations affecting known children.<\/p>\n The definitions section of the law also has an extensive entry for \u201csubstantial harm or privacy risk to children\u201d, with many examples of types of harm outlined, ways children\u2019s data cannot be collected or used, and prohibitions specifically for any \u201conline platform that provides an online service, product, game, or feature likely to be predominantly accessed by children\u201d<\/em>.<\/p>\n\n\n Florida\u2019s consumer privacy law only requires prior consent where sensitive personal data and children\u2019s data are concerned. Penalties for knowingly processing children\u2019s data without consent are triple the baseline penalty for data privacy violations under the law.<\/p>\n Consumers do have to be provided with the option of opting out of collection and processing of their personal data for sale, targeted advertising, or profiling at any point. Information about that must be provided on the website, typically under the privacy notice\/policy page. Penalties for not complying with consumer\u2019s valid opt-out requests can also be tripled from the standard fine.<\/p>\n The mechanism to enable users to opt out of data processing can be presented in a banner and displayed, most commonly as a link or button. A consent management platform (CMP) like Usercentrics\u2019 also helps to automate detection of the cookies and other tracking technologies in use on websites and apps. Use of a CMP streamlines collecting and providing the information to users about categories of data and specific services in use by the controller and\/or processor(s), and third parties with whom data is shared. Florida\u2019s privacy law, and most data privacy regulations around the world, require this notification.<\/p>\n Because the United States does not have a single federal data privacy law, companies doing business across the country and\/or with other countries may need to comply with multiple consumer privacy laws to protect data. (Learn more: Comparing US state-level data privacy laws<\/a>) A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user\u2019s preferred language.<\/p>\n\n\nWhat is the Florida data privacy act?<\/h2>\n
Definitions in the Florida Digital Bill of Rights<\/h4>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
What is covered in the Florida data privacy law?<\/h2>\n
Who has to comply with the Florida Digital Bill of Rights?<\/h4>\n
\n
\n
\n
Exemptions to Florida Digital Bill of Rights compliance<\/h4>\n
\n
\n
\n
Consumers\u2019 rights under the Florida Digital Bill of Rights<\/h2>\n
\n
\n
How does the new Florida data protection act affect businesses?<\/h2>\n
How to comply with the Florida data privacy law<\/h4>\n
\n
\n
\n
\n
\n
What happens if you break the Florida data protection law?<\/h2>\n
Enforcement<\/h4>\n
Cure period and controller actions<\/h4>\n
Fines and penalties<\/h4>\n
\n
Prohibition of government censorship under Florida\u2019s Digital Bill of Rights<\/h2>\n
Protection of children under the Florida Digital Bill of Rights<\/h2>\n
The Florida Digital Bill of Rights and consent management<\/h2>\n