A few months ago, Florida officially passed legislation to guarantee certain data privacy rights for Florida consumers. Called the Florida Digital Bill of Rights (FDBR), the legislation joins the growing ranks of state-level laws designed to make up for the current lack of federal protection for personal data.
Today, we’ll explain what the FDBR means for Florida residents, businesses, and other organizations. Read on to find out about its key requirements, timeline, plans for implementation and enforcement, and more.
Signed into law in June 2023 by Governor Ron DeSantis, the Florida Digital Bill of Rights (i.e. Senate Bill 262) focuses primarily on technology transparency. Although the legislation features significant differences from the data privacy laws that have recently arisen in other states, it does still offer new consumer rights to give Floridians better control over the processing of their personal data.
According to the governor’s website, the newly created Digital Bill of Rights gives Florida data subjects:
Additionally, Florida data subjects may correct inaccuracies in their personal data, obtain a copy of their data in a portable digital format, opt out of having their sensitive data collected processed, and opt out of having their personal data collected through a voice recognition or facial recognition system.
Under the FDBR, data controllers in Florida must establish at least two methods for consumers to submit requests to exercise their rights. Data controllers — which we’ll define in more detail below — will also have to respond to consumer requests within 45 to 60 days. Additionally, they must:
Whether you're a Florida resident eager to protect your digital footprint or a data security expert who’s curious about the evolving landscape of state data privacy legislation, you likely have questions about the logistics of the FDBR. Below, we provide answers to some frequently asked questions.
The full text of the FDBR clarifies that the legislation applies to “data controllers.” It defines data controllers as entities that generate more than $1 billion in gross annual revenue and that:
These terms mean that most organizations outside of large enterprises and certain tech companies will not be required to meet FDBR compliance.
The FDBR excludes certain entities, sometimes because industry-based data privacy regulations already exist for those entities and sometimes because of the nature of the organization. The legislation includes the following exemptions:
The FDBR also does not apply to the processing of personal data solely for measuring or reporting advertising performance, reach, or frequency.
The Florida Digital Bill of Rights will take effect on July 1, 2024, allowing slightly over a year for data controllers to prepare to meet compliance. The part of the FDBR that prohibits the government-directed moderation of social media platforms went into effect even sooner, on July 1, 2023.
The Florida Attorney General’s Office will handle enforcement of the FDBR, with some violations allowed a discretionary 45-day cure period. Once the law goes into effect, the Attorney General will be able to enforce violations by bringing a legal action under the Florida Deceptive and Unfair Trade Practices Act and seeking a civil penalty of up to $50,000 per violation. These penalties may be tripled in certain circumstances.
While most state-level data protection laws emphasize protecting the personal data of consumers and requiring businesses to be transparent about their data processing practices, Florida’s legislation differs in several important ways. Here, we’ll explore some of the top differences.
Broad focus on children. The FDBR prohibits online platforms from using so-called “dark patterns” and from processing children’s data if it knows that that processing will result in “substantial harm or privacy risk” to children. It also restricts profiling and collecting geolocation data except in certain circumstances, and it requires data minimization by heavily restricting the collection, sale, and retention of personal information from a child. While some similar restrictions can be found in laws like the CCPA, the broadness of the scope in the FDBR is notable.
Banning government moderation of social media. Under the FDBR, government entities are prohibited from contacting social media platforms to request the removal of content and from initiating agreements with social media platforms with the purpose of moderating content. According to the Florida governor’s office, the law also prevents “government-led censorship” by “prohibiting state or local government employees from colluding with Big Tech companies to censor protected speech.” These features are unique to Florida’s law and are not seen in leading data privacy legislation from states like California, Connecticut, or Iowa.
Narrow scope of covered entities. Other state data privacy laws, like the Colorado Privacy Act and the Virginia Consumer Data Protection Act, typically focus their criteria on the quantity and nature of a business’s data processing. Florida, on the other hand, focuses primarily on businesses that are tech giants and excludes other kinds of companies.
Search engine politics. The Florida Digital Bill of Rights requires Google and other large search engines to disclose whether they prioritize search results based on political ideology, seemingly reflecting the common misperception that a political bias exists in tech algorithms and social media platforms. This feature is not present or publicized in other state data privacy laws.
Higher revenue threshold. Other state privacy laws typically set lower thresholds for annual revenue than Florida’s $1 billion amount. For example, the California Consumer Privacy Act and the Utah Consumer Privacy Act both require compliance for any non-exempt organization with a gross annual revenue above $25 million.
All in all, these features make the FDBR a comparatively narrow and politicized piece of legislation — albeit one that still offers Florida consumers some new rights over their personal data.
First, most companies will not meet the criteria for compliance with the Florida law. Even data processors that participate in the collection or sale of personal data from Florida residents will not need to comply with the FDBR unless their organization generates over $1 billion in annual revenue and meets additional criteria.
However, for the few large technology companies that do fall under the new digital privacy law, there are several steps they must take. Their IT team and department of legal affairs should work together to:
Whether you’re in Alaska or Zurich, Florida or Florence, compliance with data privacy regulations is challenging. The regulatory landscape is constantly evolving, and the ongoing lack of a federal data privacy law in the US makes compliance particularly tricky as states create their own legislation.
ShardSecure’s technology provides advanced data privacy, security, and resilience for companies looking to protect consumers’ personal data or their own sensitive organizational data in on-prem and cloud environments. Our platform offers an innovative approach to file-level encryption that secures data from access by unauthorized third parties, including infrastructure providers and cloud storage admins.
To learn more, read our press release about being named a 2023 Gartner® Cool Vendor in Privacy. Or, check out our other resources on regulatory compliance.
Florida’s Digital Bill of Rights Becomes Law | Clark Hill PLC
2023 Legislature — SB 262 Bill Text | Florida Senate
Florida Digital Bill of Rights Signed Into Law | Davis Wright Tremaine
Political Bias on Social Media | Indiana University
GARTNER is a registered trademark and service mark of Gartner and Cool Vendors is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.