New Florida Digital Bill of Rights Signed Into Law

Enacted in July 2024, the Florida Digital Bill of Rights (FDBR) significantly impacts the data privacy landscape within the state. This legislation empowers Florida residents with control over their personal information, offering a framework for data access, correction, and deletion. We will explore the key provisions of the FDBR and its implications for both consumers and businesses.

What is the Florida Digital Bill of Rights?

The Florida Digital Bill of Rights is the state's comprehensive data privacy law. It is not as comprehensive as other state consumer privacy laws, however.

It only applies to large businesses because of the high applicability thresholds.

Simply put, if you don't generate a certain amount of revenue or process data from a large number of Florida residents, the FDBR is unlikely to affect you.

However, for those large businesses that it does apply to, the law grants Florida residents several key rights regarding their personal information. These include:

• The right to access: You can request information from a business to see what data they've collected about you.
• The right to rectification: If the data is inaccurate, you can ask them to fix it.
• The right to deletion: Under certain circumstances, you can request that a business delete your data.
• The right to opt-out: You can choose not to have your data sold or used for targeted advertising.

The Florida Digital Bill of Rights came into effect on July 1, 2024.

Is the FDBR appropriate for my business?

The Florida Digital Bill of Rights (FDBR), established under Senate Bill 262, primarily applies to certain large businesses and includes several key provisions regarding the protection of personal data. Here is a detailed breakdown of its applicability:

1. Large Businesses. The FDBR primarily targets businesses with annual gross revenues exceeding $1 billion. Specifically, it applies to entities that also meet one of the following criteria: Derive 50% or more of their global annual revenues from the sale of advertisements online. Operate a consumer smart speaker with an integrated virtual assistant connected to a cloud computing service. Operate an app store or digital distribution platform with at least 250,000 apps available for download

2. Broader Applicability. In addition to these large entities, the FDBR includes provisions that apply more broadly to for-profit businesses that collect and process personal data about Floridian consumers, particularly regarding the sale of sensitive personal data. Sensitive data includes personal information revealing racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, genetic or biometric data, and data collected from children.

Exemptions from the Florida data protection law

The FDBR's provisions exempt several types of entities and data, including

• Government entities
• Nonprofit organizations
• Higher education institutions
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities under HIPAA.

Many of these entities wouldn't pass the thresholds anyway, yet there is a clear exclusion for them in the law.

Does the Florida data privacy law apply to small businesses?

The Florida privacy law doesn't apply to most small businesses. If a small business meets the thresholds, the law may cover it, though this is unlikely.

What are the new Florida consumer rights and protections?

The FDBR grants Floridian consumers several rights similar to those found in other state privacy laws, such as the right to access, correct, delete personal data, and opt out of the sale of personal data. There are also specific provisions to protect children's online privacy.

Keep in mind that simply being a Florida resident does not grant anyone these rights unless the business meets the stringent applicability thresholds.

How can businesses comply with the Florida privacy act?

The Florida Digital Bill of Rights (FDBR) imposes several requirements on businesses that fall under its scope. Here are the key requirements:

• Respond to the following consumer rights requests:
  The right to access personal data. The right to correct inaccuracies in personal data. The right to delete personal data. The right to obtain a copy of personal data in a portable and readily usable format. The right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and certain types of profiling.
• Obtain consent for the processing of sensitive data, such as racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data collected from a known child, and precise geolocation data.
• Provide consumers with privacy notices. These notices should describe: The categories of personal data processed. The purposes for processing personal data. How consumers can exercise their data rights. The categories of personal data shared with third parties and the categories of those third parties.
• Conduct data protection impact assessments to evaluate the risks associated with their data processing activities, particularly for processing activities that involve sensitive data or have significant impacts on consumers.
• Ensure to have written contracts with all data processors. When businesses use third-party processors to handle personal data, they must have contracts in place that outline the responsibilities and obligations of each party. These contracts should include terms for confidentiality, data deletion or return upon termination, and cooperation with the controller's assessments and audits.
• Not process personal information that may result in substantial harm or privacy risks to children.
• Not use dark patterns to manipulate consent.
• Not use certain data collection features for surveillance purposes without explicit consumer authorization.

Do we need to obtain consent for data processing?

Sensitive data is an exception to the general rule that permits data processing without consent.

Businesses must obtain explicit consent before processing any sensitive data, which includes:

• Racial or ethnic origin.
• Religious beliefs.
• Mental or physical health diagnoses.
• Sexual orientation.
• Citizenship or immigration status.
• Genetic or biometric data.
• Personal data collected from children.
• Precise geolocation data​.

For all other data, consumers can opt out as required by law.

Do we need a Florida privacy policy?

Yes, privacy notices are required under the Florida Digital Bill of Rights (FDBR). 

Businesses must provide clear and comprehensive privacy notices, which should include the following:

• The categories of personal data processed.
• The purposes for processing personal data.
• Instructions on how consumers can exercise their data rights.
• How consumers can appeal a controller’s refusal to take action on data rights requests.
• The categories of personal data shared with third parties.
• The categories of third parties with which personal data is shared

These notices must be easily accessible to consumers and do not require them to log in or register to read them. This ensures transparency and ease of access for all consumers.

In particular, businesses operating search engines must provide an easily accessible, plain language description of the main parameters used to rank search results, including how political partisanship or ideology influences these rankings.

What are the Florida Special Notices for Sensitive Data?

Businesses subject to the Florida data protection law that sell sensitive or biometric data must include explicit notices stating:

• "NOTICE: This website may sell your sensitive personal data.”
• “NOTICE: This website may sell your biometric data”

FDBR Enforcement and Compliance

FDBR breaches can result in civil penalties of up to USD 50,000 per violation, which is significantly higher than other US state privacy laws. If the violation involves a minor under 18, if the entity fails to delete or correct personal data upon request, or if the entity continues to sell or share personal data after the consumer has opted out, the amount can triple.

The Florida Attorney General enforces the law. The procedure starts with a 45-day cure period, which, if it fails, allows the Attorney General to issue penalties.

This law does not give Florida residents a private right to action.