On June 6, Florida Governor Ron DeSantis approved the passage of Senate Bill 262, which establishes the Florida Digital Bill of Rights (FDBR), set to go into effect July 1, 2024. Florida is now the tenth state to pass comprehensive consumer data privacy legislation. While narrower than other previously enacted state privacy laws, the FDBR still presents important considerations and requirements for businesses operating in Florida.
Although the law is largely modeled off of other states’ consumer privacy laws (particularly Virginia), the FDBR contains several provisions which make it unique, including a complicated applicability threshold, additional opt-out rights and consent requirements, and exclusive enforcement by the Attorney General as well as the inclusion of a cure period. The FDBR also includes provisions protecting children online and imposes restrictions on government employees and entities online. Each of these is discussed in further detail below.
Applicability Threshold – Not Just Big Tech
The FDBR appears to have quite narrow applicability as compared to other state privacy laws, particularly given that it applies to entities (known as “controllers”) that generate more than $1 billion in annual global revenue and one of the following criteria:
- Derive at least 50% of global annual revenues from the sale of advertisements online (including from providing targeted advertising).
- “Operate… a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation.”
- Operate an app store or digital distribution platform with at least 250,000 apps for consumers to download and install.
This definition of “controller” gives the illusion that the FDBR only affects large technology companies, when in reality, the law’s provision requiring consumer consent before selling sensitive data or processing the sensitive data of a known child applies to any for-profit entity that conducts business in Florida and collects personal data. That being said, a majority of the provisions in the FDBR will not apply to most businesses. It is also important to note that Florida’s definition of “known child” is an individual under the age of 18, which is higher than the definition in other existing state laws.
Additional Opt-Out Rights and Consent Requirements
Under the FDBR, consumers will have several opt-out rights commonly found in other existing state comprehensive privacy laws (including but not limited to the right to confirm and access their personal data; the right to delete, correct, or obtain a copy of their personal data; and the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and certain types of profiling). In addition to these typical opt-out rights, the FDBR also provides consumers with the right to opt out of the collection or processing of sensitive data (including precise geolocation data) and the collection of personal data through the operation of voice recognition or facial recognition features. Further, Florida’s definition of “sensitive data” is unique in that it includes personal data collected from a known child, which, as mentioned above, is anyone under the age of 18.
The FDBR also prohibits devices with voice or facial recognition, video, audio, or other monitoring features from engaging in surveillance when those features are not in active use by a consumer without the consumer’s authorization. Consumer consent is also required for the processing and sale of sensitive data.
A Few Other Quirks
The FDBR further differs from existing state privacy laws in a few other ways:
- Businesses that sell consumer data must have two separate notice provisions on their website alerting consumers that (1) sensitive data may be sold and (2) biometric personal data may be sold, both written in language specified in Section 501.711 of the law.
- Search engines must provide consumers with a “plain language” description of the “main parameters” used to determine how results are provided to users.
- Businesses that maintain self-service correction mechanisms may deny consumer correction requests and direct consumers to such self-service correction mechanisms.
- Controllers may retain consumer personal data for no more than two years, subject to several exceptions (e.g., where legally required to retain, to provide goods and services, etc.).
Exclusive Attorney General Enforcement and Cure Period
The Florida legislature did not create a private cause of action in connection with violations of the FDBR. Instead, the Florida Attorney General and the Florida Department of Legal Affairs ( Department) have the exclusive ability to enforce the provisions of the FDBR as well as the ability to provide a 45-day cure period before enforcement at the Department’s discretion. Additionally, the FDBR authorizes civil penalties of up to $50,000 per violation and grants the Department rulemaking authority to assist in the implementation of the law.
Online Protections for Children
The FDBR establishes several protections for children online by prohibiting “online platforms that provide an online service, product, game, or feature likely to be predominantly accessed by children” from processing or collecting the personal information of children in specific ways, including “processing [that] may result in substantial harm or privacy risk to children” and restrictions on platforms’ ability to profile children and collect, sell, use, share or retain children’s personal information. “Substantial harm or privacy risk to children” means the processing of personal information in such a way that it may result in “any reasonably foreseeable substantial physical injury, economic injury, or offensive intrusion into the privacy expectations of a reasonable child under the circumstances,” including mental health disorders, patterns of use that indicate or encourage addictive behaviors, violence, sexual exploitation, promotion of drugs, predatory practices, and financial harm.
The provision also focuses on restricting the use of children’s geolocation data and the use of dark patterns. A significant result of this section of the law is that it likely will require businesses to undertake an impact assessment to document that a use case does not create risks to children and that personal data will not be used beyond what is minimally necessary. The Department also has exclusive authority to enforce these provisions subject to the same discretionary 45-day cure period as the other provisions in the FDBR.
Government Influence Online—An Interesting Add-On
Unlike any other current state privacy laws, the FDBR incorporates a provision to limit government influences online. Beginning July 1, 2023, government employees and entities will be prohibited from using their position or any state resources to communicate with a social media platform to request that it remove any content or accounts. Further, government entities will not be allowed to initiate or maintain any agreements with social media platforms for the purpose of content moderation (with the exception of routine account maintenance or attempts to remove content or accounts due to the commission of a crime or efforts to prevent property damage, bodily harm, or loss of life).
Key Dates
- July 1, 2023: Provisions restricting government employees’ and entities’ online activities effective.
- July 1, 2024: All other FDBR provisions go into effect.
Our team will continue to monitor the FDBR. If you have any questions about the FDBR or other state privacy laws and how they could affect your business, please contact the authors.