Skip to content

Manage privacy requirements of the Florida Digital Bill of Rights (FDBR)

Handle privacy notices, user opt-outs for data use, and evolving U.S. state privacy rules with the Usercentrics Consent Management Platform (CMP). Display a fully customizable cookie banner that supports Florida’s FDBR requirements — without breaking analytics, ads, or revenue.
Start freeContact Sales

What is the FDBR?

The Florida Digital Bill of Rights (FDBR) is a comprehensive consumer privacy law that took effect on July 1, 2024. It governs how businesses collect, process, share, and sell the personal data of Florida residents, granting individuals new rights and placing obligations on covered companies.

The FDBR focuses on child protection, social media, and technology regulation. Several aspects, including compliance thresholds, apply more directly to big tech companies. The law also contains a prohibition on government censorship.

Common FDBR questions and answers
Bank icon with various currency coins falling in

FDBR at a glance

  • The Florida Digital Bill of Rights (FDBR) took effect on July 1, 2024.
  • Applies to: certain large companies doing business in Florida that meet specific revenue and data thresholds.
  • Florida consumers have rights of access, correction, deletion, portability, non-discrimination, and to opt out of certain data uses.
  • Businesses must provide clear privacy notices and respond to consumer rights requests.
  • Enforcement: Florida Attorney General, up to $50,000 per violation (tripled under certain circumstances)
  • Cure period: Businesses receive a 45-day right to cure after notice before enforcement action

What does the FDBR require from businesses?

The FDBR’s USD 1 billion global gross annual revenue threshold, plus at least one additional statutory criterion, means the law applies to a limited number of large companies.

However, several FDBR requirements reflect broader privacy best practices and consumers’ increasing expectations. Companies should provide a clear, up-to-date privacy notice explaining how personal data is collected, used, shared, or sold. They should offer easy-to-use opt-out mechanisms — such as a consent banner — for the sale of personal data, targeted advertising, and certain profiling activities. They should obtain affirmative opt-in consent before processing sensitive personal data, including children’s data.

Businesses are also expected to respond to consumer rights requests and implement reasonable security measures to protect personal data throughout its lifecycle.

Bank icon with various currency coins falling in

What are the risks of ignoring the FDBR?

Failing to meet FDBR requirements can result in enforcement by the Florida Attorney General. Violations are treated as deceptive trade practices, with fines up to USD 50,000 per violation, which may be tripled in certain cases.

Beyond financial penalties, gaps in consent management, opt-out mechanisms, or required notices can increase legal risk, disrupt advertising and data-driven revenue, and weaken customer trust.

Although the FDBR applies to a limited number of large companies, many businesses operate across multiple states or countries and must comply with other privacy laws. Aligning with FDBR standards can support broader privacy compliance readiness.

As privacy expectations continue to rise across the U.S., inadequate data practices may also lead to reputational harm, lower user engagement, and lost business opportunities.

Analytics and ads behave predictably based on real user choices. A well-configured cookie banner helps prevent broken tracking, data gaps, and last-minute fixes — your insights stay dependable.

Automatic cookie scanning and updates can keep your banner accurate as your site and legal requirements change. Less manual upkeep, fewer headaches, and more time for your team to focus on growth.

A clear, customized cookie banner keeps your visitors informed and gives them clear choices. The result: less friction, more trust, and mitigated legal risk from the start.

A flexible cookie banner and consent management platform helps you adapt as privacy expectations and state laws evolve — and as your company grows. You stay in control of tracking and monetization without scrambling to rework setups or risking interruptions.

“Honestly, it was click, click, click, done.”
— Web Application Development Manager, Gilson
Read full review
Get your websites and apps ready for Florida privacy rules

Make it easy to provide website visitors and app users with clear notice and real choice — without disrupting analytics or ads. Try Usercentrics for free to address legal and operational risk as privacy expectations evolve.

start free

Talk to our privacy experts

Usercentrics helps businesses in Florida give visitors clear notice and meaningful choice — without slowing down websites or apps, analytics, or advertising. Whether you’re preparing for FDBR requirements or managing multiple U.S. and global privacy laws, we’ll help you protect your business and find the right setup for your website.

  • Stable tracking and marketing performance as privacy rules evolve
  • Automated setup and updates that minimize ongoing maintenance
  • Address legal and operational risk with a single, scalable platform
Contact sales
Contact chat bubble at the bottom right corner of a chat illustration

Learn more

Checklist
May 29, 2025
Our FBDR compliance checklist will help you achieve and maintain privacy compliance. Build user trust and achieve high opt-in rates.
Read more
Article
Feb 7, 2025
In 2025 more US state privacy laws will come into effect than in any previous year, though federal legislation remains stalled. We compare what US state-level data privacy laws mean for consumers and businesses.
Read more
Article
Jan 16, 2026
Compliance with the Children’s Online Privacy Protection Act (COPPA) is required for any business handling the personal information of children under age 13 in the United States. This article discloses the key provisions of COPPA to help organizations take the necessary steps to achieve and maintain compliance and build trust with families.
Read more

Frequently asked questions

The Florida Digital Bill of Rights (FDBR) applies to certain large for-profit companies that:

  • Generate more than USD 1 billion in global gross annual revenue, and
  • Meet at least one of the following:
    • Derive 50 percent or more of global gross annual revenue from online advertising, including targeted advertising or selling ads online
    • Operate a consumer smart speaker with an integrated virtual assistant connected to a cloud service that uses hands-free voice activation (excluding motor vehicle–related systems operated by vehicle manufacturers or affiliates)
    • Operate an app store or digital distribution platform offering at least 250,000 different software applications for consumer download

This structure reflects the FDBR’s limited, large-entity scope. Most small and midsize businesses are not covered by its primary provisions.

Florida consumers have the right to:

  • Access their personal data
  • Correct inaccuracies
  • Delete personal data
  • Obtain a portable copy of their data
  • Opt out of the sale of personal data
  • Opt out of targeted advertising
  • Opt out of certain profiling

Covered businesses must provide clear, accessible ways for consumers to exercise these rights.

The Florida Attorney General enforces the FDBR. Civil penalties may reach up to USD 50,000 per violation in certain cases, and violations are considered deceptive trade practices. Businesses receive a 45-day cure period after written notice. There is no private right of action.

Covered businesses must provide a clear privacy notice explaining:

  • What personal data is collected
  • Why it is processed
  • Whether it is sold or used for targeted advertising
  • How consumers can exercise their rights

If a business sells sensitive personal data, this notice must be displayed: “NOTICE: This website may sell your sensitive personal data.”

If a business sells biometric personal data, this notice must be displayed: “NOTICE: This website may sell your biometric personal data.”

If a business sells personal data to third parties or processes personal data for targeted advertising, they must clearly and conspicuously disclose that process.

The FDPR differs from laws like the California Consumer Privacy Act (CCPA) in several important ways, including:

Topic FDPR CCPA
Applicability trigger Applies only to certain large for-profit entities doing business in Florida that meet strict revenue and operational criteria (e.g., major ad platforms, smart speaker providers, large app stores). Applies to for-profit businesses doing business in California that meet revenue or data-processing thresholds. Broader scope.
Revenue threshold More than $1 billion in global gross annual revenue plus additional statutory criteria. Yes (annual gross revenue exceeding $26.2M for the preceding calendar year)
Data minimization standard Personal data must be adequate, relevant, and reasonably necessary for disclosed purposes. Broader purpose limitation, less prescriptive minimization language
Sensitive data (including children’s) Opt-in consent required for processing sensitive personal data. Enhanced penalties for violations involving children’s data. Opt-in required and display of link if sensitive personal information is processed: “Limit the Use of My Sensitive Personal Information”
Enforcement Exclusively by the Florida Attorney General California Attorney General and the California Privacy Protection Agency (CCPA or CalPrivacy)
Cure period 45-day right to cure after written notice. Does not expire. Generally none
Private right of action (individual lawsuits for violations) No Yes (but only for data breaches)