Florida Digital Bill of Rights (FDBR): An Overview

Florida was the tenth state in the United States to pass a consumer privacy bill, SB 262, with an effective date of July 1, 2024. It’s the fifth of six states to pass a privacy law in 2023. As of June 6, 2023, when the bill was passed, organizations have just over a year to prepare for FDBR compliance.

Passage of comprehensive state-level privacy laws is gaining momentum in the United States in 2023, with Iowa, Indiana, Tennessee, Montana, Florida, and Texas all passing laws between March and June.

The data privacy law passed in Florida differs in a number of respects from the other comprehensive state privacy laws passed in the US, with a focus on child protection, social media, and technology regulation. Several aspects, including compliance thresholds, appear to particularly target big tech companies. A federal data privacy law in the US has not been passed to date.

The Florida Digital Bill of Rights (FDBR) protects the digital privacy and personal data rights of Florida’s more than 21 million residents, and establishes data privacy responsibilities for companies doing business in the state or providing goods or services targeting Florida residents. In the course of doing business these organizations process consumers’ personal information. This law is a bit different from others passed in the US to date, however, with its focus on large tech companies, newer consumer technologies, and online social media platforms.

Like other states with data privacy laws, Florida defines a consumer as a resident of or person living in the state who is acting in an individual or household context and not in a commercial or employment context.

Like all the other comprehensive data privacy regulations passed in the US to date, the FDBR uses an opt-out model. Data subject consent is not required prior to data collection or processing in many cases. Businesses that are required to comply with the Florida privacy law must inform consumers about what data collection and processing they perform, what consumers’ rights are, and how to exercise them.

Notifications need to include what data is collected, for what purposes, third parties with whom the data is shared, etc. Businesses must provide consumers with ways to opt out of data collection and processing for several purposes: sale, targeted advertising, or profiling. Organizations (controllers) and any third parties they engage for data processing (processors) must also implement reasonable security and protections.

For a few personal data uses, consumer consent does have to be obtained before data collection or processing. This includes personal data categorized as sensitive or data belonging to a known child. The Florida law differs from other states’ laws in that the definition of a child applies to anyone under age 18, not under age 13, which is more common.

Personal information / personal data

The FDBR includes definitions of both personal information and personal data. The definition of personal data has a specific purpose referencing children: “information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child”.

The definition of personal data is a bit more detailed than in other US privacy laws: “any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.”

The detail about use of pseudonymous or anonymized data in conjunction with other information to identify someone is interesting to note, especially as the definition also mentions that deidentified data — presumably which cannot be used to identify anyone — is not included.

Extension of the Florida Information Protection Act

Florida has had the Florida Information Protection Act (FIPA) in effect since 2014, which defines and covers various kinds of data, including electronic information that commercial entities may store. That Act’s requirements are fairly standard compared to the newer comprehensive data privacy laws in requirements for reasonable data protection, breach reporting, etc.

The FDBR expands FIPA’s definition of personal information, which already included standard examples like Social Security numbers, financial information, and personal contact information, to include newer technologies like biometric or geolocation data.

Consent

The European Union’s General Data Protection Regulation (GDPR) set the standard for defining consent, which has been followed by many regulations passed since.

Under the FDBR, consent is defined as: “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative act.”

The Florida law, like Montana’s Consumer Data Privacy Act (MTCDPA), explicitly excludes these conditions from validly obtained consent, which are all in line with GDPR and other laws’ requirements for consent to be “freely given, specific, informed and unambiguous”:

• acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
• hovering over, muting, pausing, or closing a given piece of content
• agreement obtained through the use of dark patterns

Florida’s privacy law, like Connecticut’s CTDPA and Montana’s MTCDPA, includes a requirement for consumers to be able to revoke their consent at any time.

Sensitive data / sensitive personal information

This definition covers more specific categories of personal information, particularly that which could cause harm if misused, including any of the following revealing:

• racial or ethnic origin
• religious beliefs
• mental or physical health diagnosis
• sexual orientation
• citizenship or immigration status
• genetic or biometric data processed for the purpose of uniquely identifying an individual
• from a known child (under 18 years of age)
• precise geolocation data (to within 1,750 feet / 533.4 meters)

Controller

The definition of controller is considerably longer and more detailed in Florida’s law than in most. This is due to the number of requirements, and also because elements like compliance thresholds are built into the definition, which is unusual.

To be defined as a controller an entity must meet the following requirements:

• a sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:
  • • organized or operated for the profit or financial benefit of its shareholders or owners
    • conducts business in Florida
    • collects personal data about consumers, or is the entity on behalf of which such information is collected
• determines the purposes and means of processing personal data about consumers alone or jointly with others
• makes in excess of $1 billion in global gross annual revenues

The entity must also satisfy at least one of the following:

• derives 50 percent or more of its global gross annual revenues from the sale of advertisements online
  • including providing targeted advertising or the sale of ads online
• operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation
  • a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof
• operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install

Processor

For businesses that share personal data for processing purposes, the business will be the controller and the third-party entity will be the processor, defined in the Florida privacy bill as “a person who processes personal data on behalf of a controller.”

Sale of personal data

This is defined as “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.”

Disclosure of personal data to any of the following is not considered a sale:

• a processor who processes the personal data on the controller’s behalf
• a third party for purposes of providing a product or service requested by the consumer
• information that the consumer:
  • intentionally made available to the general public through a mass media channel and did not restrict to a specific audience
  • disclosed or transferred personal data to a third party as an asset that is part of a merger or an acquisition

   

Targeted advertising

Refers to “displaying to a consumer an advertisement selected based on personal data obtained from that consumer’s activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer’s preferences or interests.”

The term does not include ads that are “based on the context of a consumer’s current search query on the controller’s own website or online application, or directed to a consumer search query on the controller’s own website or online application in response to the consumer’s request for information or feedback.”

Surveillance

Surveillance is referenced regarding the use of assorted technologies, specifically: “a device that has a voice recognition feature, a facial recognition feature, a video recording feature, an audio recording feature, or any other electronic, visual, thermal, or olfactory feature that collects data may not use those features for the purpose of surveillance by the controller, processor, or affiliate of a controller or processor when such features are not in active use by the consumer, unless otherwise expressly authorized by the consumer.”

However, the FDBR does not specifically include a definition of “surveillance”. This may be legally tricky for tech companies with products using these increasingly common “smart” technologies if and when they need to draft consumer privacy and consent notices.

The FDBR applies to organizations conducting business in Florida, and any business that offers products or services targeted to Florida residents. As noted under the “controller” definition, the compliance requirements are a bit different and in some ways more targeted than many other US data privacy laws.

Organizations have to comply with the FDBR if they:

• make more than US $1 billion in global gross annual revenue

and at least one of:

• derive 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online
• operate an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install
  • except that a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof.operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation

   

Of particular note here is the inclusion of US $1 billion in gross annual revenue as a threshold. This clearly targets larger companies, as other states’ data privacy laws that include a revenue threshold, like the California Privacy Rights Act (CPRA), set the threshold at only US $25 million. A number of the more recently passed laws, like Tennessee’s Information Protection Act (TIPA), have no revenue-only threshold for compliance.

There are currently fewer than 6,000 businesses operating in Florida that meet the more than US $1 billion revenue threshold. Add in any of the other criteria and the number of organizations needing to comply would shrink even further.

Other line items also appear to target certain large tech companies that earn their revenue from ad sales, operate smart speakers or tech incorporating voice commands, and operate app stores or other digital distribution platforms. These requirements are not included in any other US state privacy law, and would apply to companies like Apple and Google that offer those technologies and run popular app stores.

The exemptions in the Florida data protection law are fairly consistent with the other existing US data privacy laws, deferring mainly to existing federal laws, including:

• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health Act
• Patient Safety and Quality Improvement Act
• Fair Credit Reporting Act (FCRA)
• Children’s Online Privacy Protection Act (COPPA)
• Family Educational Rights and Privacy Act (FERPA)
• Driver’s Privacy Protection Act
• Farm Credit Act (FCA)
• Airline Deregulation Act

Other exemptions include HR data, health records, data for providing financial services, research data for human subjects that are covered by other federal laws or standards, and data that is processed or maintained for employment-related purposes.

Exempted institutions include:

• • state government agencies
  • financial institutions (also entities and affiliates subject to the Gramm-Leach-Bliley Act)
  • insurance companies
  • postsecondary education institutions
  • nonprofit organizations

Consumers have a number of rights under the new digital bill:

• Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data, with some exceptions
• Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
• Right to delete: any personal data the controller has about or from the consumer, with some exceptions
• Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
• Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
• Right to opt out:
  • sale of personal data
  • targeted advertising
  • certain profiling “in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer”
  • collection or processing of sensitive data
  • collection of personal data through the operation of a voice recognition or facial recognition feature

   

Parents or guardians can exercise these rights on behalf of children. Like all other US data privacy laws except California’s, the Florida Digital Bill of Rights does not enable private right of action, which would allow consumers to sue violators. Interestingly, a previous data privacy bill in Florida that failed in 2021 did include private right of action.

Controllers must notify consumers of their rights and ways that consumers can exercise those rights by submitting a verifiable request to the company. Controllers must supply at least two means of contact that are secure and consistent with normal ways in which consumers would contact the organization. The controller must also include clear information on how to exercise consumer rights in their privacy notice or policy page on their website.

After a consumer’s authenticated request is received, the controller has 45 days to respond. There are some limited reasons that they can decline to act on the request, including if the consumer’s identity cannot be reasonably verified or if the consumer submits an excessive number of requests in a 12-month period.

If there are extenuating circumstances preventing fulfilling a consumer request, once the consumer has been notified that response period can be extended by 15 days if reasonably necessary. Controllers must inform consumers within 60 days of receiving a request to notify them that it has been fulfilled.

If a controller denies a request, the consumer can appeal such a decision, and the controller has to provide information on how to do so. The controller has 60 days to respond to appeals.

Purpose limitation

Controllers can process personal data for the purpose(s) that they have communicated, as long as the processing is “adequate, relevant, and reasonably necessary” and proportional to those purposes.

Data security

Controllers must protect personal data by establishing, implementing and maintaining reasonable administrative, technical, and physical security measures. These measures should be appropriate to the nature and volume of personal information being processed.

Data protection assessments (DPA)

Controllers must conduct and document data protection assessments when they process information:

• for the purposes of targeted advertising
• to sell the personal data
• categorized as sensitive personal data
• for the purposes of profiling if there is a reasonably foreseeable or heightened risk of harm to consumers

The Attorney General can request a DPA from a controller, typically for the purposes of investigating an alleged violation.

Consent requirements

Like other US states that have passed privacy laws, Florida uses an opt-out model, so user consent is not required before collecting and processing personal data in many cases. The exception is that consent must be obtained before collecting or processing sensitive personal data. Consumers must be given clear notice about processing and be able to opt out of sale, targeted advertising, profiling, or data collection via face or voice recognition.

Where children are concerned, the FDBR follows the federal Children’s Online Privacy Protection Act (COPPA). Consent from any known child’s parent or guardian must be obtained before processing any personal data of any user known to be a child. This would include all children’s personal data, as under Florida’s data privacy regulation data of children under 18 is classified as sensitive by default. The FDBR pays particular attention to the protection of children, so has expanded the age range up to when children become legal adults.

Nondiscrimination

Controllers are prohibited from unlawful discrimination against consumers, and from processing personal data if doing so is in violation of state or federal laws governing discrimination. Controllers cannot discriminate against consumers for exercising their rights. For example, a consumer cannot be blocked from accessing a website if they opt out of allowing personal information collection.

However, there are often website features or functions that will not work without certain trackers being active, so if a consumer does not opt in to their use because they collect personal information, the site may not work optimally. This is not discriminatory.

Controllers can offer voluntary incentives like discounts for consumers’ voluntary participation in operations like an organization’s loyalty program or signing up for a newsletter, where these operations collect and process personal data. Such offers have to be reasonable, as data protection authorities tend to frown on disproportionate incentives as they start to look like bribes.

Transparency

Controllers must provide consumers with clear and accessible information about data processing. Commonly this appears on the company’s website in a privacy notice or policy. Under the FDBR, this information must include:

• categories of personal data processed by the controller, including sensitive data, if any
• purpose(s) for processing personal data
  • a controller may not collect different or additional categories of personal data, or use personal data collected for different or additional purposes than those stated, without notifying the consumer
• how consumers may contact the controller, exercise their rights and/or appeal a controller’s decision (e.g. if a request for access is denied)
• categories of personal data that the controller sells to or shares with third parties, if any
  • if a controller sells sensitive data, they must post the following: “NOTICE: This website may sell your sensitive personal data.”
  • if a controller sells biometric data, they must post the following: “NOTICE: This website may sell your biometric personal data.”
  • if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process
• categories of third parties to whom the controller sells to or shares personal data, if any
• the right to opt out of the sale of personal data to third parties or processing personal data for targeted advertising or profiling and how to exercise it, including contact methods

Third party contracts

Controllers must have contracts in place with third-party processors (service providers) with clear information about:

• duty of confidentiality
• instructions for processing data
• nature and purpose of processing
• type of data subject to processing
• duration of processing
• rights and obligations of both parties

Universal opt-out signal

The Florida Digital Bill of Rights, like some other state-level data privacy laws, including Indiana’s Consumer Data Protection Act (Indiana CDPA) and Tennessee’s, does not reference the Global Privacy Control (GPC) “universal opt-out” or similar mechanism.

The GPC is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences. These settings can then be communicated to all websites or apps that consumers visit, so users don’t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.

In Florida, the Attorney General and the Department of Legal Affairs have exclusive enforcement authority for the FDBR. As noted, the law does not provide consumers with private right of action, but they can report alleged violations or complaints about denial of requests to the Attorney General’s office. The Attorney General must provide parties with alleged violations against them with written notice that lists the violations.

As with the Colorado Privacy Act (CPA), violations of the FDBR are considered deceptive trade practices.

After being notified by the Attorney General in writing, a 45-day cure period may be granted when organizations can fix issues and take steps to prevent recurrence, without suffering penalties. If the organization does “cure” issues to the Attorney General’s satisfaction and provides written notification, while they may not be financially penalized, they may receive a letter of guidance stating that they will not receive a cure period for any future violation.

If a violation involves a known child, the cure period does not apply. The Department of Legal Affairs will also consider conditions like the number and severity of violations before deciding if a cure period will be allowed.

Cure periods in other state-level data privacy laws range from 30 to 90 days. The Florida Digital Bill of Rights does not include any provision to sunset the cure period after a year or two, as some other states’ data privacy laws do.

If the controller or any of their data processors are still in violation after the cure period, or after submitting their statement, the Attorney General can initiate investigative actions and levy penalties of up to US $50,000 per violation. Penalties can be tripled if:

• the violation is against a known child
• a controller fails to delete personal data after receiving an authenticated consumer request (or a processor receives instructions to do so from a controller)
• a controller continues to sell or share a consumer’s personal data after the consumer has opted out

Under the new section of the statutes, the FDBR is also a social media law, dictating that no government entity can request that a social media platform remove content or user accounts unless the content or account is used to commit a crime or otherwise violates Florida public records law.

This prohibition could make it possible to use online social media platforms to promote content that could be considered to violate other state-level content restriction laws like the Parental Rights in Education Law.

The definition of “social media platform” is also quite broad: “a form of electronic communication through which users create online communities or groups to share information, ideas, personal messages, and other content.” This could also create some legal quandaries in practice.

The FDBR includes more specific information about children and requirements for protecting them, particularly online, than other US data privacy laws. In addition to defining children as anyone up to age 18, the law triples the potential financial penalties for violations affecting known children.

The definitions section of the law also has an extensive entry for “substantial harm or privacy risk to children”, with many examples of types of harm outlined, ways children’s data cannot be collected or used, and prohibitions specifically for any “online platform that provides an online service, product, game, or feature likely to be predominantly accessed by children”.

Florida’s consumer privacy law only requires prior consent where sensitive personal data and children’s data are concerned. Penalties for knowingly processing children’s data without consent are triple the baseline penalty for data privacy violations under the law.

Consumers do have to be provided with the option of opting out of collection and processing of their personal data for sale, targeted advertising, or profiling at any point. Information about that must be provided on the website, typically under the privacy notice/policy page. Penalties for not complying with consumer’s valid opt-out requests can also be tripled from the standard fine.

The mechanism to enable users to opt out of data processing can be presented in a banner and displayed, most commonly as a link or button. A consent management platform (CMP) like Usercentrics’ also helps to automate detection of the cookies and other tracking technologies in use on websites and apps. Use of a CMP streamlines collecting and providing the information to users about categories of data and specific services in use by the controller and/or processor(s), and third parties with whom data is shared. Florida’s privacy law, and most data privacy regulations around the world, require this notification.

Because the United States does not have a single federal data privacy law, companies doing business across the country and/or with other countries may need to comply with multiple consumer privacy laws to protect data. (Learn more: Comparing US state-level data privacy laws) A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user’s preferred language.

This will enable companies to achieve FDBR compliance, as well as other current and upcoming regulations across the United States. For companies doing business internationally, using a consent management platform also enables compliance with regulations like the European Union’s GDPR, which has more strict consent management requirements than the laws in the US.

Organizations doing business in Florida have until July 1, 2024 to prepare for compliance with the FDBR. If they have already achieved compliance with other state-level data privacy laws in the US, like Connecticut’s, a good portion of the work is already done. However, special attention should be paid to the differences with Florida’s law, especially as they pertain to protection of children, government censorship, and compliance thresholds.

As always, a privacy by design approach will benefit all operations in an organization, whether specifically for regulatory compliance or not.

Achieving FDBR compliance will mainly be a matter of confirming the Florida privacy law’s specific requirements and having a solution in place to provide users with the necessary notifications and opt-out options. The Usercentrics Consent Management Platform (CMP) can help with cookie and tracking notification and management.

Updates to the FDBR are likely over time, as these US regulations are all in their first version, and both technology and consumer expectations are rapidly changing. The FDBR does not include private right of action, so consumer class-actions lawsuits will not be a potential influence on future amendments to Florida’s privacy law as they may be in California.

Eventual case law may also clarify some of the law’s requirements or prohibitions, especially as they pertain to newer technologies for facial or voice recognition or audio recording, or operation of social media platforms.

Consulting qualified legal counsel and/or your organization’s data privacy expert, like a Data Protection Officer, is recommended to ensure responsibilities are met.

Beyond just meeting requirements, being proactive about protecting user privacy is a valuable business effort. It builds user trust and engagement, provides better user experiences, and strengthens customer relationships long-term.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.