Understanding the New Florida Digital Bill of Rights
A few months ago, Florida officially passed legislation to guarantee certain data privacy rights for Florida consumers. Called the Florida Digital Bill of Rights (FDBR), the legislation joins the growing ranks of state-level laws designed to make up for the current lack of federal protection for personal data.
Today, we’ll explain what the FDBR means for Florida residents, businesses, and other organizations. Read on to find out about its key requirements, timeline, plans for implementation and enforcement, and more.
What are the key elements of the Florida Digital Bill of Rights?
Signed into law in June 2023 by Governor Ron DeSantis, the Florida Digital Bill of Rights (i.e. Senate Bill 262) focuses primarily on technology transparency. Although the legislation features significant differences from the data privacy laws that have recently arisen in other states, it does still offer new consumer rights to give Floridians better control over the processing of their personal data.
According to the governor’s website, the newly created Digital Bill of Rights gives Florida data subjects:
- The right to control their personal data, including the right to confirm, access, and delete their personal data from a social platform.
- The right to know that their personal data will not be used against them when purchasing a home, obtaining health insurance, or being hired.
- The right to know how internet search engines manipulate search results.
- The right to opt out of having personal data sold.
- The right to protect children from personal data collection.
Additionally, Florida data subjects may correct inaccuracies in their personal data, obtain a copy of their data in a portable digital format, opt out of having their sensitive data collected processed, and opt out of having their personal data collected through a voice recognition or facial recognition system.
New obligations for data controllers
Under the FDBR, data controllers in Florida must establish at least two methods for consumers to submit requests to exercise their rights. Data controllers — which we’ll define in more detail below — will also have to respond to consumer requests within 45 to 60 days. Additionally, they must:
- Obtain consumer consent before processing sensitive data, which Florida defines as a category of personal data that includes personal data about an individual’s racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, citizenship or immigration status, genetic or biometric data, and geolocation data.
- Conduct and document data protection assessments for sensitive data processing, targeted advertising, and potentially harmful data processing activities.
- Provide consumers with an annually updated, accessible, and clear privacy notice.
- Refrain from collecting data when voice-activated devices are not in active use unless expressly authorized.
FAQ: The Florida Digital Bill of Rights
Whether you're a Florida resident eager to protect your digital footprint or a data security expert who’s curious about the evolving landscape of state data privacy legislation, you likely have questions about the logistics of the FDBR. Below, we provide answers to some frequently asked questions.
Who must comply with the Florida Digital Bill of Rights?
The full text of the FDBR clarifies that the legislation applies to “data controllers.” It defines data controllers as entities that generate more than $1 billion in gross annual revenue and that:
- derive at least 50% of that revenue from the sale of digital advertisements, or
- operate an app store or similar online platform like a digital distribution platform with at least 250,000 different apps, or
- operate a consumer voice-activated service that involves voice commands and an integrated virtual assistant connected to a cloud computing service.
These terms mean that most organizations outside of large enterprises and certain tech companies will not be required to meet FDBR compliance.
Who is exempt from the Florida Digital Bill of Rights?
The FDBR excludes certain entities, sometimes because industry-based data privacy regulations already exist for those entities and sometimes because of the nature of the organization. The legislation includes the following exemptions:
- State agencies.
- Nonprofit organizations.
- Postsecondary education institutions.
- Financial institutions governed by the Gramm-Leach-Bliley Act.
- Entities governed by the Health Insurance Portability and Accountability Act (HIPAA).
The FDBR also does not apply to the processing of personal data solely for measuring or reporting advertising performance, reach, or frequency.
What’s the timeline for implementing the FDBR?
The Florida Digital Bill of Rights will take effect on July 1, 2024, allowing slightly over a year for data controllers to prepare to meet compliance. The part of the FDBR that prohibits the government-directed moderation of social media platforms went into effect even sooner, on July 1, 2023.
How will the Florida Digital Bill of Rights be enforced?
The Florida Attorney General’s Office will handle enforcement of the FDBR, with some violations allowed a discretionary 45-day cure period. Once the law goes into effect, the Attorney General will be able to enforce violations by bringing a legal action under the Florida Deceptive and Unfair Trade Practices Act and seeking a civil penalty of up to $50,000 per violation. These penalties may be tripled in certain circumstances.
How does the FDBR compare to other state data privacy laws?
While most state-level data protection laws emphasize protecting the personal data of consumers and requiring businesses to be transparent about their data processing practices, Florida’s legislation differs in several important ways. Here, we’ll explore some of the top differences.
Broad focus on children. The FDBR prohibits online platforms from using so-called “dark patterns” and from processing children’s data if it knows that that processing will result in “substantial harm or privacy risk” to children. It also restricts profiling and collecting geolocation data except in certain circumstances, and it requires data minimization by heavily restricting the collection, sale, and retention of personal information from a child. While some similar restrictions can be found in laws like the CCPA, the broadness of the scope in the FDBR is notable.
Banning government moderation of social media. Under the FDBR, government entities are prohibited from contacting social media platforms to request the removal of content and from initiating agreements with social media platforms with the purpose of moderating content. According to the Florida governor’s office, the law also prevents “government-led censorship” by “prohibiting state or local government employees from colluding with Big Tech companies to censor protected speech.” These features are unique to Florida’s law and are not seen in leading data privacy legislation from states like California, Connecticut, or Iowa.
Narrow scope of covered entities. Other state data privacy laws, like the Colorado Privacy Act and the Virginia Consumer Data Protection Act, typically focus their criteria on the quantity and nature of a business’s data processing. Florida, on the other hand, focuses primarily on businesses that are tech giants and excludes other kinds of companies.
Search engine politics. The Florida Digital Bill of Rights requires Google and other large search engines to disclose whether they prioritize search results based on political ideology, seemingly reflecting the common misperception that a political bias exists in tech algorithms and social media platforms. This feature is not present or publicized in other state data privacy laws.
Higher revenue threshold. Other state privacy laws typically set lower thresholds for annual revenue than Florida’s $1 billion amount. For example, the California Consumer Privacy Act and the Utah Consumer Privacy Act both require compliance for any non-exempt organization with a gross annual revenue above $25 million.
All in all, these features make the FDBR a comparatively narrow and politicized piece of legislation — albeit one that still offers Florida consumers some new rights over their personal data.
How should companies prepare for the Florida Digital Bill of Rights?
First, most companies will not meet the criteria for compliance with the Florida law. Even data processors that participate in the collection or sale of personal data from Florida residents will not need to comply with the FDBR unless their organization generates over $1 billion in annual revenue and meets additional criteria.
However, for the few large technology companies that do fall under the new digital privacy law, there are several steps they must take. Their IT team and department of legal affairs should work together to:
- Prepare to receive and respond to consumer requests.
- Update privacy notices.
- Establish processes for obtaining clear and informed consent for the processing of certain kinds of personal or sensitive data.
- Conduct data protection impact assessments.
- Strengthen their overall data security and privacy posture.
Achieve compliance in Florida and beyond with ShardSecure
Whether you’re in Alaska or Zurich, Florida or Florence, compliance with data privacy regulations is challenging. The regulatory landscape is constantly evolving, and the ongoing lack of a federal data privacy law in the US makes compliance particularly tricky as states create their own legislation.
ShardSecure’s technology provides advanced data privacy, security, and resilience for companies looking to protect consumers’ personal data or their own sensitive organizational data in on-prem and cloud environments. Our platform offers an innovative approach to file-level encryption that secures data from access by unauthorized third parties, including infrastructure providers and cloud storage admins.
Florida Enacts “Digital Bill of Rights” Combining Narrowly Applicable “Comprehensive” Privacy Provisions and More Broadly Applicable Restrictions on Children’s Privacy and Social Media Restrictions | Perkins on Privacy
GARTNER is a registered trademark and service mark of Gartner and Cool Vendors is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.