A comprehensive privacy legislation that aims to protect the digital privacy of Floridians from big tech companies. SB 262 drifts away from most US privacy laws and addresses novel issues such as surveillance of consumers, government censorship, and retention schedules. In this guide, we will analyze the Florida Digital Bill of Rights (FDBR).
Effective date: July 1, 2024
Official legal text: SB 262
What is the Florida Digital Bill of Rights (FDBR)?
Florida governor signed SB 262, the privacy law of Florida in June 2023 and will be in effect from July 1, 2024, giving businesses a year to ensure compliance. The Governor and others while addressing the public described themselves as brave enough to come up with an extensive privacy regulation dealing with the intricacies of privacy concerns of Floridians.
SB 262 regulates the processing of children’s personal data, government censorship over Floridian’s right to speech, and handling of personal data including sensitive data. This guide will primarily focus on the Digital Bill of Rights.
Though the act seemingly covers businesses collecting Floridian’s personal data, the definition of the controller and the associated thresholds scale down its scope. This means the law mainly focuses on big tech companies.
Florida’s privacy law provides for additional disclosures in the privacy notice like the description of parameters used to determine ranking in search results by search engines. It also requires covered entities to provide mechanisms to opt out of more personal data uses than its sale or targeted advertising.
The enforcement agency for FDBR is the Department of Legal Affairs.
To whom does the Florida Digital Bill of Rights apply?
Florida’s data privacy law intends to pass the authority over one’s personal data from businesses to the individual. Elaborate privacy disclosures and imposition of duties upon organizations pave the way towards it.
FDBR narrows its scope by raising the threshold from a million to a billion scale. On average, FDBR covers tech giants like TikTok and Google.
The Governor, Ron DeSantis while addressing the press said ”If a multi-billionaire dollar company is conspiring to take your data and sell it or use it against you, it is your right to be able to protect that data”.
So, who needs to comply with the law? Let us find out.
The Florida Digital Bill of Rights applies to for-profit legal entities with annual revenue exceeding $1 billion that collect the personal data of Floridians and meet any of the three specified conditions.:
- Derives at least 50% of its annual gross revenue from the sale of advertisements online.
- Operates smart speakers and voice command services integrated with a virtual assistant connected to cloud computing and provides hands-free verbal activation. (Eg: Amazon’s Alexa)
- Operates an app store/ digital distribution platform containing 250,000 or more applications for the consumers to download and install.
The smart speakers and voice command services used in vehicles and operated by its manufacturers are exempted from its applicability.
Who is exempted from the applicability of the Florida Digital Bill of Rights?
Florida’s privacy law exempts certain entities and categories of personal data from its applicability.
The primary exemption is for processing personal data in a personal/household context.
It also exempts the personal data used to track the performance of advertisements and for payment transactions to purchase products.
FDBR does not apply to certain entities like:
- State agency/political subdivisions of Florida
- Entities covered by the Gramm-Leach-Bliley Act and HIPAA
- Non-profit organizations
- Post-secondary education institutions
Apart from these entities, the law also exempts patient-identifying information, protected health information under HIPAA, health records, and personal data used to protect human subjects, research purposes, etc.
Furthermore, Florida’s privacy law exempts the personal information covered by the Driver’s Privacy Protection Act, Fair Credit Reporting Act, Airline Deregulation Act, etc.
What is personal data under the Florida Digital Bill of Rights?
FDBR defines personal data as any information including sensitive data which is linked/is reasonably linkable to an identified individual.
Pseudonymous data will be considered personal data if used along with the additional information that links it to the individual.
Publicly available information and de-identified data are exemptions of personal data.
Publicly available information is information that is made available:
- through public records
- by the consumer himself or by the person to whom he revealed the information, but not intended for a specific audience.
What is sensitive data under the Florida Digital Bill of Rights?
The following categories of personal data are considered sensitive under FDBR.
Personal data that reveals:
- Racial/ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- citizenship/immigration status
- Genetic/biometric data used to identify an individual
- Personal data of an individual known to be a child
- Precise geolocation data
What are the duties of businesses under the Florida Digital Bill of Rights?
The law imposes obligations upon businesses to prevent the arbitrary use of Floridian’s personal data. In this section, we will deal with the duties of businesses under Florida’s privacy law.
Data minimization and purpose limitation
- Businesses must limit the collection of personal data of consumers to what is necessary for the informed specific purpose.
- Restrain the use of personal data to what is adequate, necessary, and relevant for the purpose for which it was collected.
Security safeguards
- Businesses must implement security measures at technical, administrative, and physical levels to protect the confidentiality and security of personal data retained.
- The safeguards must be proportionate to the volume and nature of personal data collected.
Non-discrimination
- Businesses must refrain from discriminating against consumers for exercising consumer rights by increasing prices, reducing quality, etc.
- Adhere to state and federal laws prohibiting unlawful discrimination.
- Businesses can give products for free or at different prices, rates, quantities, levels, etc based on consumers’ participation in premium, loyalty, club card, or discount programs.
Disclosures
- Businesses must provide privacy notices in adherence to the requirements under FDBR which we will soon discuss.
- Search engines must disclose the parameters including political affiliation used to determine search result ranking.
Surveillance restriction
- Devices with features like facial and voice recognition, video and audio recording features, etc must avoid using these features to surveil consumers when not in use.
Retention schedule
- Implement a retention schedule to prohibit the use of personal data after the purpose is fulfilled, after the expiration of the contract under which it was collected, or after 2 years of no contact from the consumer.
- A schedule is not necessary if the personal data was collected for purposes like internal uses, to provide the products expected by consumers, or to resolve errors.
Consent
- Obtain consent from the consumer before processing their sensitive data of consumers. For children between the ages of 13-18, consent can be given by themselves.
- In the case of children (below 13 years), obtain verifiable parental consent under COPPA regulations.
- To engage in the sale of sensitive data, prior consent must be obtained.
- Consent is valid if it is an affirmative action given freely, specifically, and unambiguously. Do not use dark patterns to obtain consent.
Manage cookie consent
without any hassle
Add a cookie opt-out banner and manage cookie compliance for Florida Digital Bill of Rights
Try for free14-day free trialCancel anytime
Response plan
- Respond to consumer requests within 45 days. Unlike most US privacy laws, the response period can be extended only up to 15 days after giving prompt notification to the consumer.
- The appeals must be responded to within 60 days.
- Businesses that maintain a self-service mechanism for the correction of personal data can reject the request and require the consumer to correct it by himself.
- Within 60 days of the request, the businesses must notify the consumer of the fulfillment of the request.
- Comply with the request for free twice annually per consumer.
Data protection impact assessments
- Conduct and document data protection impact assessments regularly.
- It must assess the processing of personal data involving high risks like sensitive data, sale of personal data, targeted advertising, and profiling.
- Keep the assessment records confidential
Contractual relationship
- Have a contractual relationship with processors who process personal data on behalf of your organization and other third parties engaged in the processing.
- Determine the rights and obligations of each party, the nature of the processing and its duration, clear instructions regarding the processing, etc.
- Ensure third party’s compliance with FDBR and confidentiality of the personal data.
Consumer request mechanisms
- Provide two or more ways for the consumers to submit requests to exercise their rights.
- Provide convenient opt-out mechanisms. We will further discuss it in the section related to consumer rights.
- Establish a method to appeal against the decisions of the organization.
- The methods must be secure, reliable, and verifiable.
What are the consumer rights under the Florida Digital Bill of Rights?
Florida’s data privacy law confers consumer rights to Floridians, giving them authority over their personal data. The following are the rights of consumers:
Right to confirm and access
Consumers can confirm whether businesses are using their personal data. They can also access such information held by the organization.
Right to correct
The law empowers consumers to correct any inaccuracies in the information retained by entities. Businesses can also maintain a self-service mechanism where individuals can correct information themselves.
Right to delete
Consumers can request deletion of their personal data from the organization’s system. Though there are US laws that only allow the deletion of data given by the consumer, FDBR allows it regardless of the source.
Right to obtain/ right to portability
Consumers have the right to obtain a copy of personal data in a portable and readily usable format.
Right to opt-out
FDBR guarantees consumers the right to opt out of certain personal data usage. In addition to the common uses like sale, this law widens the scope of opt-out.
Consumers can opt out of the following:
- Sale of personal data
- Targeted advertising
- Profiling
- Collection of sensitive data including precise geolocation or processing of sensitive data
- Collection of personal data through voice or facial recognition features
Privacy notice requirements under the Florida Digital Bill of Rights?
A privacy notice, sometimes known as privacy policy, is the medium of transparency between individuals and entities. It reveals the data practices of businesses and gives an idea of how they will handle personal data. The following information must be disclosed in the privacy notice:
- Categories of personal data including sensitive data collected
- The purpose of processing personal data
- Methods to exercise consumer rights and appeal
- Categories of personal data shared with third parties, if applicable
- Categories of third parties with whom the personal data is shared
- Disclose the sale of sensitive data by providing a notice: ”Notice: This website may sell your sensitive personal data”
- Disclose the sale of biometric data by providing a notice: “Notice: This website may sell your biometric personal data”
- If the business engages in the sale of personal data or targeted advertising, disclose it along with the method to exercise opt-out.
What are the penalties for violations of the Florida Digital Bill of Rights?
Any violations under FDBR will be considered an unfair and deceptive trade practice. The Department of Legal Affairs can initiate legal action for up to $50,000 as a penalty per violation.
The penalty may triple if the entity violates the privacy of a child under 18 years of age, fails to delete or correct personal data after receiving a consumer request, or sells/shares personal data despite an opt-out.
The enforcement agency has discretionary authority to decide whether to give a cure period of 45 days. If the violation is cured within the period, legal action may not arise. The agency can also issue a letter of guidance informing the violator that they will not offer further cure period for future violations.
There is no private right of action under FDBR.
Checklist for FDBR Compliance
- Data minimization and purpose limitation
- Provide a privacy notice for consumers
- Implement security measures
- Provide search result disclosure if you are a search engine
- Restrict surveillance of consumers when the facial, audio, or video features are not in use
- Maintain a retention schedule
- Obtain prior consent before processing sensitive data including a known child’s personal data.
- Have a good response plan
- Have a contractual relationship with processors and third parties
- Provide opt-out mechanisms
- Conduct data protection impact assessments regularly
- Do not discriminate against consumers for exercising their rights
- Implement convenient consumer request mechanisms
Florida’s FDBR Vs California’s CCPA [Infographic]
FAQ on the Florida Digital Bill of Rights
No, both are different. The Florida Privacy Protection Act (SB 1864) is a dead bill. However, the Florida Digital Bill of Rights (SB 262) was passed and will be in effect from July 1, 2024, to regulate the handling of the personal data of Floridians.
Florida Digital Bill of Rights(FDBR) is the privacy law of Florida and is expected to come into force on July 1, 2024. It has unique provisions concerning the processing of personal data, privacy notices, and opt-outs. The law imposes duties upon businesses and grants consumer rights to Floridians.
The Department of Legal Affairs might give the violators a cure period of 45 days based on its discretion.
Yes. 501.171 requires entities to report security breaches to affected individuals within 30 days after its determination. Also, if the breach affects more than 1000 people, notify consumer reporting agencies.