Florida Digital Bill of Rights: a Comprehensive Guide

Florida became the tenth state in the United States to approve a consumer privacy bill, SB 262. 

Florida Digital Bill of Rights (FDBR) became effective on July 1, 2024.

The FDBR differs from the other US comprehensive state privacy laws focusing on child protection, social media, and technology regulation. Several aspects, including compliance thresholds, particularly target big tech companies.

What Is the Florida Data Privacy Act?

The Florida Digital Bill of Rights (FDBR) protects the digital privacy and personal data rights of Florida’s residents and sets data privacy responsibilities for companies doing business in the state or providing goods or services for Florida residents.

Unlike other US state-level data privacy laws with quite a broad coverage, the FDBR focuses on major tech companies, emerging consumer technologies, and online social media platforms. Thus, it is considered narrower in scope and less comprehensive than many of the recent US state-level privacy laws.

Florida defines a consumer as a resident of or person living in the state and acting in an individual or household context and not in a commercial or employment context.

Like most other US state-level privacy laws, the Florida law follows an opt-out model, meaning that cookie consent isn’t required before data collection or processing in most cases. However, prior consumer consent is required when dealing with personal data belonging to a known child. Florida’s law defines a child as a person under 18, unlike the more common age limit of 13.

Entities that fall under the scope of the FDBR must clearly inform consumers about their data collection and processing practices, present consumer rights, and clarify how to exercise those rights.

Use CookieScript cookie consent widget to get valid Cookie Consent from users.

Who does the Florida Data Privacy Act Apply to?

The law applies to such a data controller if the following two criteria are met:

1. An organization’s gross annual revenue is more than $1 billion, and
2. An organization satisfies one of the following:

• Derives 50 percent or more of its global gross annual revenue from the sale of advertisements online, including providing targeted advertising or the sale of ads online.
• Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. Consumer smart speaker and voice command component service does not include a motor vehicle, speaker or device associated with or connected to a vehicle that is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof.
• Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

The Florida Digital Bill of Rights with a revenue threshold of USD 1 billion, primarily applies to large businesses. This is different from other US state laws. The California Consumer Privacy Act (CCPA) sets a threshold for just USD 25 million in gross annual revenue. Newer laws like the Tennessee Information Protection Act (TIPA) and the New Jersey Data Privacy Act (NJDPA) have no requirements related to revenue.

The law also includes specific provisions for major tech companies involved in digital advertising, smart speaker technologies, voice commands, and digital distribution platforms. Such rules are unique to Florida and target companies like Apple and Alphabet (Google), which provide these technologies.

The FDBR also includes several provisions for the protection of the personal data of users and provides exemptions from the law.

Exemptions from the Florida Data Protection Law

The Florida Digital Bill of Rights exempts certain institutions from complying, including:

• State government agencies.
• Financial institutions.
• Entities and affiliates, subject to the Gramm-Leach-Bliley Act.
• Insurance companies.
• Postsecondary education institutions.
• Nonprofit organizations.

There are also data-related exemptions, which include:

• Health records.
• Data used to provide financial services.
• Research data for human subjects covered by federal laws or standards.
• Data processed or maintained for employment purposes.
• Data created for or collected in pursuance to several federal laws.

The following exemptions to the Florida data privacy law are mainly the same as other US data privacy regulations, deferring to existing federal laws, including:

• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health Act
• Patient Safety and Quality Improvement Act.
• Fair Credit Reporting Act.
• Children’s Online Privacy Protection Act (COPPA).
• Family Educational Rights and Privacy Act.
• Driver’s Privacy Protection Act.
• Farm Credit Act.
• Airline Deregulation Act.

Does the Florida data privacy law apply to small businesses?

The Florida privacy law doesn't apply to most small businesses. Business must meet the gross annual revenue threshold of USD 1 billion for the law would cover it. The Florida data privacy law primarily applies to large businesses.

Currently, fewer than 6,000 businesses are operating in Florida that surpass the USD 1 billion revenue threshold.

Consumers’ Rights Under the Florida Digital Bill of Rights

Consumers have several rights under the Florida data privacy law, corresponding with other global and US data privacy regulations, namely:

• Right to access. Consumers can request if the controller is processing their personal data and access that data, with certain exceptions.
• Right to correction. Consumers can request to correct inaccurate data the controller contains, taking into account the nature of the personal data and the purposes of its processing.
• Right to delete. Consumers can request to delete any personal data the controller has about or from the consumer, with certain exceptions.
• Right to portability. Consumers have the right to obtain a copy of their personal data in a readily usable format, with some exceptions.
• Right to opt-out. Consumers can opt out of:
  The processing of their personal data for sale, targeted advertising, and certain profiling “in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer”.
  The collection or processing of sensitive data, including precise geolocation data.
  The collection of personal data through the operation of a voice recognition or facial recognition feature.

Parents or legal guardians can exercise these rights on behalf of their children under the age of 18.

Like many other US state laws, the FDBR does not grant a private right of action, which would allow consumers to directly sue violators.

California is currently the only US data privacy law that gives consumers a private right of action.

Data Controllers’ Obligations Under the Florida Digital Bill of Rights

The Florida privacy law sets controllers several responsibilities to protect consumers’ personal data.

Controllers must notify consumers of:

• Their rights regarding their personal data.
• Means for consumers to exercise those rights, including contact information.
• Procedure for appealing against the controller’s decision like rejection of a consumer’s request.

This information is typically provided in a Privacy Policy or cookie notice.

Controllers must establish at least two secure, reliable, and easily accessible methods for consumers to exercise their rights under the FDBR. Consumers must not be required to create a new account just to exercise their rights.

The controller has 45 days from the date of receipt to respond to an authenticated consumer request. The controller can decline to respond to the request for specific reasons, like not being able to verify the consumer’s identity or in the case the consumer submits a huge number of requests within a 12-month period.

If the controller can’t fulfill the request within the 45-day period, they can extend the response period by 15 days, with prior notification to the consumer.

In total, data controllers have 60 days to inform consumers if their request has been fulfilled. If a request is denied, consumers can appeal the decision. In this case, the controller must provide information on how to proceed with the appeal. The controller has 60 days to respond to the appeal.

Privacy notice under the FDBR

Controllers must publish a privacy notice providing:

• Categories of personal data processed, including sensitive data, if any.
• Purpose for processing personal data.
• Methods for consumers to exercise their rights and appeal a controller’s decision.
• Categories of personal data shared with third parties, if any.
• Categories of third parties receiving personal data, if any.
• Methods for consumers to opt out of the sale of personal data to third parties or processing of personal data for targeted advertising or profiling.

If a controller sells sensitive personal data, they must also include a notice with the exact wording: “NOTICE: This website may sell your sensitive personal data” or “NOTICE: This website may sell your biometric personal data” depending on the type of data sold.

The privacy notice must be updated annually under the law.

Data Protection Assessments under the FDBR

Controllers must perform and document Data Protection Assessments (DPA) to perform certain data processing activities, including:

• Targeted advertising.
• The sale of personal data.
• Processing data for the purposes of profiling if it presents a reasonably foreseeable risk to the consumer.
• Processing sensitive data.
• Processing activities that involve personal data that present a heightened risk of harm to the consumer.

The controller’s data protection assessment must evaluate the following aspects:

• Identify and weigh the direct and indirect benefits to the controller, consumer, and other stakeholders against the potential risks to consumer rights.
• Process deidentified data, the consumer’s reasonable expectations, the processing context, and the relationship between the controller and the consumer.

Data controllers can use a single assessment to address these issues.

Purpose limitation under the FDBR

Controllers are permitted to process personal data provided that the processing remains “adequate, relevant, and reasonably necessary” while being proportional to those purposes.

Data security under the FDBR

Controllers must take all reasonable measures to protect the personal data of consumers. They must establish, implement, and maintain reasonable administrative, technical, and physical security measures that are appropriate to the nature and volume of personal information being processed.

Nondiscrimination under the FDBR

Data controllers must not unlawfully discriminate against consumers for exercising their rights. For example, consumers can’t be denied access to a website just because they don’t allow to collect their personal data. Data controllers must also not process personal data in violation of state or federal anti-discrimination laws.

Some website features may require certain cookies or other trackers that collect personal data to function correctly. If consumers choose to block these trackers, the website might not work optimally. However, this decreased website functionality without trackers is not considered discriminatory.

Controllers can offer voluntary involvement programs, such as discounts for consumers who participate in loyalty programs or newsletter subscriptions, where personal data is collected and processed. Such incentives should be reasonable and proportionate to the data collected, since regulators disapprove of disproportionate rewards for the purposes to data collection.

Data processing agreements under the FDBR

The Florida Data Privacy Act requires data controllers to sign contracts with processors to define data processing procedures.

Data processors have the responsibility to help controllers meet their duties under the FDPB that relate to security, transparency, retention, deletion, assessment, and reporting of data.

The data processing agreements should include details on:

• Instructions for processing data.
• Purpose of data processing.
• Type of data being processed.
• Duration of processing.
• Rights and obligations of both parties.
• Duty of confidentiality.

Enforcement of the Florida Digital Bill of Rights

The Attorney General of Florida and the Department of Legal Affairs have exclusive authority to enforce the Florida Digital Bill of Rights.

Consumers don’t have a private right of action, however, they can report potential violations or complaints about denied requests to the Attorney General’s office. The Attorney General must inform the accused parties, detailing the suspected violations.

Penalties under the Florida Digital Bill of Rights

Noncompliance with the Florida Digital Bill of Rights can result in fines up to $50,000 per violation if a controller or its data processors remain in violation after the cure period.

Noncompliance with the FDBR could also lead to legal actions. The Florida Attorney General can adopt rules to implement the FDBR, initiate investigations, and take legal action against violators.

The penalties can be tripled under the following conditions:

1. The violation involves a known child.
2. A controller or processor doesn’t delete personal data after receiving a verified consumer request.
3. A controller continues to sell or share a consumer’s personal data after the consumer uses their opt-out rights.

CookieScript CMP- Your solution to Maintain Compliance with the FDBR 

CookieScript Consent Management Platform (CMP) could be your best solution to comply with the FDBR and other privacy laws. It has all the necessary functionalities:

• geo-targeting. You can specifically target the consumers of Florida with the geo-targeting functionality.
• Google-certified CMP. CookieScript is a Google-certified CMP partner and comes with a full IAB TCF v2.2 integration.
• Supports Google Consent Mode v2. If you want to use Google services (GA4, Google Ads, gtag, and Google Tag Manager) in the EU or EEA, you need to use a Google-certified CMP.
• Local Storagge and Session Storage scanning and blocking. GDPR and other privacy laws require blocking of cookies, Local Storagge and Session Storage until user consent is given. However, majority of CMPs do not offer this functionality. CookieScript blocks both Local Storagge and Session Storage.
  
• Multiple integrations. CookieScript CMP integrates easily with Google services automatically via Google Tag Manager, so you could use Google advertisement products easily. The CookieScript CMP is also integrated with other platforms, including content management systems such as Drupal, Magento, Shopify, WordPress, PrestaShop, etc., and analytics platforms, including Google Analytics 4.
• Fully customizable. CookieScript CMP allows Cookie Banner behavior adjustments, and design customization, and has a self-hosted code option.

Frequently Asked Questions

What is the Florida Digital Bill of Rights?

The Florida Digital Bill of Rights (FDBR) protects the digital privacy and personal data rights of Florida’s residents and sets data privacy responsibilities for companies doing business in the state or providing goods or services for Florida residents. It follows an opt-out model, meaning that consumer consent isn’t required before data collection or processing in most cases. Use CookieScript to comply with the FDBR and other privacy laws in the US.

Is the Florida Digital Bill of Rights already in force?

Yes, the Florida Digital Bill of Rights (FDBR) became effective on July 1, 2024. CookieScript CMP can help you to comply with the FDBR and other privacy laws in the US.

What are the differences between the Florida Digital Bill of Rights and other US state-level privacy laws?

Unlike other US state-level data privacy laws with quite a broad coverage, the FDBR focuses on major tech companies, emerging consumer technologies, and online social media platforms. Thus, it is considered narrower in scope. In addition, Florida’s law defines a child as a person under 18, unlike the more common age limit of 13. CookieScript CMP can help you to comply with the FDBR and avoid fines and penalties.

Does the Florida data privacy law apply to small businesses?

The Florida privacy law doesn't apply to most small businesses. Businesses must meet the gross annual revenue threshold of USD 1 billion for the law would cover it. The Florida data privacy law primarily applies to large businesses.

What are the penalties for the violation of the Florida Digital Bill of Rights?

Noncompliance with the Florida Digital Bill of Rights can result in fines up to $50,000 per violation and could also lead to legal action. The Florida Attorney General can adopt rules to implement the FDBR, initiate investigations, and take legal action against violators. CookieScript CMP can help you to comply with the FDBR and avoid fines and penalties.