Discover the impact of Florida's new Digital Bill of Rights, effective July 2024. Learn about key provisions, consumer rights, and compliance requirements for businesses.
Enacted in July 2024, the Florida Digital Bill of Rights (FDBR) significantly impacts the data privacy landscape within the state. This legislation empowers Florida residents with control over their personal information, offering a framework for data access, correction, and deletion. We will explore the key provisions of the FDBR and its implications for both consumers and businesses.
Explore more privacy compliance insights and best practices
The Florida Digital Bill of Rights is the state's comprehensive data privacy law. It is not as comprehensive as other state consumer privacy laws, however.
It only applies to large businesses because of the high applicability thresholds.
Simply put, if you don't generate a certain amount of revenue or process data from a large number of Florida residents, the FDBR is unlikely to affect you.
However, for those large businesses that it does apply to, the law grants Florida residents several key rights regarding their personal information. These include:
The Florida Digital Bill of Rights came into effect on July 1, 2024.
The Florida Digital Bill of Rights (FDBR), established under Senate Bill 262, primarily applies to certain large businesses and includes several key provisions regarding the protection of personal data. Here is a detailed breakdown of its applicability:
2. Broader Applicability. In addition to these large entities, the FDBR includes provisions that apply more broadly to for-profit businesses that collect and process personal data about Floridian consumers, particularly regarding the sale of sensitive personal data. Sensitive data includes personal information revealing racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, genetic or biometric data, and data collected from children.
The FDBR's provisions exempt several types of entities and data, including
Many of these entities wouldn't pass the thresholds anyway, yet there is a clear exclusion for them in the law.
The Florida privacy law doesn't apply to most small businesses. If a small business meets the thresholds, the law may cover it, though this is unlikely.
The FDBR grants Floridian consumers several rights similar to those found in other state privacy laws, such as the right to access, correct, delete personal data, and opt out of the sale of personal data. There are also specific provisions to protect children's online privacy.
Keep in mind that simply being a Florida resident does not grant anyone these rights unless the business meets the stringent applicability thresholds.
The Florida Digital Bill of Rights (FDBR) imposes several requirements on businesses that fall under its scope. Here are the key requirements:
Sensitive data is an exception to the general rule that permits data processing without consent.
Businesses must obtain explicit consent before processing any sensitive data, which includes:
For all other data, consumers can opt out as required by law.
Yes, privacy notices are required under the Florida Digital Bill of Rights (FDBR).
Businesses must provide clear and comprehensive privacy notices, which should include the following:
These notices must be easily accessible to consumers and do not require them to log in or register to read them. This ensures transparency and ease of access for all consumers.
In particular, businesses operating search engines must provide an easily accessible, plain language description of the main parameters used to rank search results, including how political partisanship or ideology influences these rankings.
Businesses subject to the Florida data protection law that sell sensitive or biometric data must include explicit notices stating:
FDBR breaches can result in civil penalties of up to USD 50,000 per violation, which is significantly higher than other US state privacy laws. If the violation involves a minor under 18, if the entity fails to delete or correct personal data upon request, or if the entity continues to sell or share personal data after the consumer has opted out, the amount can triple.
The Florida Attorney General enforces the law. The procedure starts with a 45-day cure period, which, if it fails, allows the Attorney General to issue penalties.
This law does not give Florida residents a private right to action.
