Florida’s Digital Bill of Rights Becomes Law

Florida enacted a new data privacy law that mirrors similar privacy laws in other states such as Virginia, Colorado, and Utah. Senate Bill  262, otherwise known as the Florida Digital Bill of Rights (“FDBR”), was signed into legislation by Governor Ron DeSantis on June 6 and will take effect on July 1, 2024. The FDBR applies to companies that generate more than $1 billion U.S.D. in gross annual revenue and derive at least 50% of their revenue from the sale of digital advertisements, operate an app store or digital distribution platform that offers at least 250,000 different software applications, or operate a smart-speaker and voice-command service with an integrated virtual assistant connected to a cloud computing service with verbal activation. The FDBR applies to all entities, with the exception of state agencies, financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA-covered entities, nonprofit organizations, and postsecondary education institutions.

Consumer Privacy Rights

The FDBR affords consumers a wide range of rights as to their personal data held by a company, including (1) the right to confirm whether a data controller is processing their personal data and the right to access their personal data; (2) the right to correct inaccuracies in their personal data; (3) the right to delete any or all personal data provided by or obtained; (4) the right to obtain a copy of their personal data in a portable, readily usable format; (5) the right to opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect; (6) and the right to opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.

Data Controller’s Obligations

The data controller must establish two or more methods for consumers to submit requests to exercise their rights, and obligates data controllers to respond to consumer request responses within 45 days, though the response period can be extended up to 60 days “when reasonably necessary.” The law prohibits data controllers from discrimination in data subject requests.

Data controllers cannot process sensitive data without obtaining the consumer’s consent. Under the FDBR, data controllers are required to conduct and document data protection assessments for sensitive data processing and processing activities for data sales, targeted advertising, and profiling that “presents reasonably foreseeable or heightened risk of harm to consumers.”

Businesses are required to provide consumers with a “reasonably accessible and clear” privacy notice that is updated at least annually. The FDBR also restricts businesses from collecting data when voice-activated devices are not in active use by a consumer unless expressly authorized. Government entities are prohibited from contacting social media platforms in order to request the removal of content. They are also prohibited from initiating any agreements with social media platforms with the purpose of moderating content.

Children’s Data

The FDBR prohibits an online platform from processing children’s data if it has knowledge or willfully disregards that processing it will result in substantial harm or privacy risk to children. The FDBR also proscribes online platforms from profiling children unless there are safeguards in place or there is a compelling reason that the profiling does not pose a substantial risk of harm or risk of privacy to the children. Online platforms are also forbidden from using children’s data for other reasons, retaining unnecessary information, collecting, selling, or sharing children’s geolocation data, or using dark patterns to lead or encourage children to take certain actions.

Penalties & Absence of Private Right of Action

Under the law, the Florida attorney general will have exclusive enforcement authority to fine companies up to $50,000 per violation, which can be tripled under certain circumstances. Consumers are not afforded a private cause of action under the law.